Windows 7 suffered a no user intervention required remote root flaw before it was introduced:
The more than 6,000 attendees who will be walking away from the sold-out event with the Windows 7 operating system software in hand could have been vulnerable to an attacker exploiting the security hole. "The code that will be distributed at PDC for Windows 7 was put on CD before last week's security update was developed, so it will not contain the update," a Microsoft spokeswoman wrote...
This is to be expected because Windows code does not change much. 2000, XP and server 2003 were listed as sharing the problem.
Update, November 3: ActiveX is still a hole in Vista, and that has probably carried over into Windows 7.