Incorrect on so many points.
Malware does not go where the users are in other environments, it goes where the ease of exploiting vulnerabilities and the size of the market make it worthwhile. Apache is more popular than IIS, yet IIS has more discovered and exploited vulnerabilities.
A secure OS would make sure that all code downloaded from the net is identified to the user as code downloaded from the net and its source/publisher, and a secure OS does not allow the downloaded code to execute until after the user has acknowledged that it is a downloaded program and given explicit permission.
If you exclude all malware/exploits on Microsoft operating systems, Microsoft makes the most secure operating systems, because there are, by definition, no malware/exploits.