I would also like to add that by numbers, in my experience, Microsoft type networks/machines are the hardest to secure for many reasons. Certainly, a well configured Windows2000-only network can be pretty secure, but for the same amount of effort a Solaris, Linux, HPUX . . . . network can be hardened so much more.

From the IT Security Audit point of view it is also a lot easier to grab the specifics which need fixing - with a MS environment there can be so many hidden flaws that a little "ethical hacking" is often the only way to get a good feel for the vulnerable areas.

As far as disclosure of holes/vulns goes - open source wins hands down. The fights I have had with vendors like MS to get increased notification, faster patch cycles etc is so tedious. With open source products, the contributors seem to fight to be the first to fix any issue - which makes for a speedy fix.