Microsoft does a fairly good job at maintaining a generally usable driver set available through Windows Update. It's usually not the latest version (and often is a generic driver from a few years ago), but it works. They have an additional problem if it comes from their servers, they get blamed if something goes wrong. Hence the testing and stability requirements before it goes into the repository, because if they break a million systems with a bad driver update, it hits the news even if it is a comparatively rare impact.
I tend to agree with your other points, though if Linux actually reached a critical level of use, its security practices would start getting tested, too. Attackers love to see Linux systems because they're trusted to be secure, a trust which is often violated. You seem to know what you're doing, but the corporate Linux uses that I've seen have relied on poor understanding of how they should be maintained, often based on arrogant declarations from the sysadmins who do things like boast of not having rebooted the web server in two years.