I tend to agree with your other points, though if Linux actually reached a critical level of use, its security practices would start getting tested, too. Attackers love to see Linux systems because they're trusted to be secure, a trust which is often violated. You seem to know what you're doing, but the corporate Linux uses that I've seen have relied on poor understanding of how they should be maintained, often based on arrogant declarations from the sysadmins who do things like boast of not having rebooted the web server in two years.
Security is like a game of chess between two or more people. It's not a game of a person against a machine.
The nice thing about Linux is that any sane configuration means you aren't going to worry about a Web site doing a drive-by installation of malware. That does not mean a skilled and determined attacker couldn't penetrate it.
Corporate users of anything should be letting IT deal with security (and follow IT's policies) and focus on doing their jobs. Also, the kexec syscall means it really is possible to avoid rebooting a server for two years while continuing to keep the kernel and userland software up-to-date, not to mention that large organizations tend to have multiple redundant servers so that a few can be rebooted at a time while maintaining availability. If you're talking about a single physical machine running a two-year-old kernel, and connected to the Internet, then yes that's just asking for trouble. Linux sadly isn't the first magical idiot-poof system. It just doesn't try to be which is more than I can say for Windows.