Two Florida researchers presented their findings to an RSA Conference of computer-security professionals. Apparently, one was a Microsoft enthusiast, the other Linux. My first thought was that this was another Microsoft sponsored study, so that is obviously not the case. Comparing Windows Server 2003 and Red Hat Enterprise Server 3, their research computed a metric called days of risk described as “the period from when a vulnerability is first reported to when a patch is issued.” The researchers found that on average the Windows server configuration had just over 30 days of risk versus 71 days for the Red Hat configuration.
This is obviously going to be very controversial. Hopefully, though, more objective studies like this one will be performed to spark constructive debate on the topic.