And how, exactly, is this different to the situation with Linux? There is no guarantee that someone will report a vulnerability to the maintainers of, say, a Linux distro, any more than that someone will report one to Microsoft. And what Linux distribution or major infrastrucuture project still runs an open access security mailing list today, with guaranteed full and immediate disclosure of all reported vulnerabilities?
Ultimately, unless you personally are directly involved with the security and maintenance of every major Linux project you use, you're still trusting other people to be honest in their disclosure and prompt with fixing security issues.
You're looking for guarantees while I'm talking about options. If you, as a security professional, are concerned about the code, you can scrutinize it. Windows doesn't give you this option. There's no guarantee of disclosure but probability suggests that with greater access to the code will come greater disclosure.
Yes, because obviously the people who are responsible for systems processing a quadrillion dollars of financial transactions just throw a quick Debian CD in the drive to set it up. I don't suppose they're taking any extra steps to audit or secure their systems beyond what a typical home user running Windows for Facebook and gaming would do. Hell, you could probably just walk right into their data centre and remove a hard drive while no-one's looking, and then take it home to look through the files in your own time.
It's ridiculous to assume that when we're talking about securing an office computing environment that we're not allowing for extra steps of auditing and securing in the process. The question is, then, which platform offers a better tool set for doing that?
Leaving aside whether or not any of those things are necessarily true in 2012, about 99.37% of the Linux user base is also experienced enough not to fall for typical malware scams, but I don't suppose that makes any difference.
In the sense that it's completely irrelevant to the discussion, you're correct, it does not. End users will always be the weak point in security. End of story. Now, the question is, do you by default give them write access to system directories, or not? Do you keep granular logs of each file i/o access by individual users?
You won't hear me say that Windows "sucks" at security, or that it hasn't improved significantly since XP. But the fact is that these same mechanisms MS is implementing in 2010, 2011, 2012 have been available to unix users for 30+ years. The whole model has been built around multi-user systems in networked environments with disparate resources moderated by varying levels of access. It's not something that was bolted on 17 years later as an afterthought.
More importantly, if the model that exists doesn't actually serve your organization's needs, there's nothing materially stopping you from modifying it until it does.