>And to think I'm usually the one defending MS's practices. But not in this case. It most certainly appears they need to get some more security experts assigned to the MS campus.

The issue is not so much a technical one as a policy one. The problem with IIS is not that it has more holes, but it exposes more functionality by default, which _exposes_ more holes. None of these worms would be a problem if the default IIS install was a bare bones, HTML only install, and all additional IIS functionality had to be intentionally added.

Apache is so much more secure because when you install it, all you get is a basic request parser to serve up pages on disk. IIS gives you bells and whistled out the wazoo, and the majority of the holes in the product (like the ones exploited by nimda and Code Red) are in those bells and whistles.