Yeah, I've read this "market share" argument used as a defense for shoddy MS code time and time again. That just doesn't cut it.
So you think that an attacker thinks he must exploit each platform proportional to the market share?
Or do you believe that each attacker randomly chooses a platform to specialize in proportional to market share. Or do they keep a list with number of slots according to each OS's market share?
Now, if the targets were 10 ft in front of you and both easily hit, how would you spend your 12 shots? Would you aim 3 shots that the smaller target and 9 shots at the larger target because that seems the fair thing to do? Or would you just shoot all 12 shots at the smaller target and go home with $2400? I know what the typical person would do.
Only when you move both targets so far back that both of them gets pretty hard to hit would any sane person consider spending any rounds on "OS X".
Attackers chose target platform based this simple economics. As long as Windows has 15 - 20 times (worldwide) the market share of OSX and as long as the limiting factor of attacks is time (the actual creation of an exploit), the attackers are going to target Windows each and every time. Only if they cannot find any exploitable vulnerabilities in Windows will they invest in another platform.
Oh, and what about Apache you say? Apache has 2 times the market share of IIS (roughly). Why isn't Apache attacked exclusively for the same reason. The difference here is that these targets are pretty distant; both Apache and IIS are pretty tight. Neither Apache nor IIS5, 6 and 7 has seen successful widespread attacks directly at the server. Neither Linux nor Windows are vulnerable at the network level anymore, especially not when behind a firewall as *all* webservers are nowadays.
The shooters have simply given up (for the time being) and went to another shooting range with better odds. BothApache and IIS has seen widespread attacks against vulnerable applications running on top of the servers. Here you could certainly argue that attackers has a preference for PHP and ASP.Ancient.
After a number of decimal places, nobody gives a damn.