This is a better question than most here will give credit, regardless of how sleazy it is that MS sales reps are using it as a tool.
The real focus needs to be determined. Is the question whether open source software development methodology is inherently vulnerable? Or is the question whether open source project X is more vulnerable than proprietary project Y?
I'll address my thoughts on the open source methodology, and the argument I use in these discussions.
Software security is reliant on a couple of key factors. Obscurity is the first one most people think of, and despite the prevailing feeling, obscurity is an excellent security control that protects against certain types of attacks. However, reliance on obscurity for security is not a good idea because over time most secrets are disclosed.
Good security architecture relies on robust security controls that maintain integrity even when attackers are fully aware of the mechanism's internal working. Perhaps it helps to think of it this way, imagine two people walking down the street. One is alone and vulnerable but in disguise and very hard to recognize. He's relying on obscurity for security, and it will probably work. The other person is surrounded by bodyguards and the entire region for miles around is swarming with more guards and surveillance teams. He's relying on a robust security control (really controls) and it doesn't matter if attackers no the details, they still aren't going to have an easy time getting through to him.
So open source projects are no insecure because they are open, and in fact many would argue that their very openness provides insurance against stupid decisions to use weak security controls and protect them only through obscurity (a classic move of proprietary systems, just think of the old MS password hashing scheme, or a dozen other proprietary security controls that turned out to be too weak to withstand public scrutiny).
The vulnerability numbers bear out this basic concept with more vulnerabilities relating to Windows systems than to *nix systems despite *nix systems running many more critical systems. I'd have to say that this is in large part because the underlying security controls of *nix systems are dissected by obsessive compulsive geeks, like us.
To convince your boss that FOSS is OK, do some research on vulnerabilities reported in the NVD. A (very) informal check shows about 1200 vulnerabilities tied to Linux and 1400 tied to Microsoft. I'd suggest doing more, and better, research than that before sitting down with the CEO to discuss this but the numbers seem to be on your side.
I'll end by saying that FOSS products are not always secure, and the open source development methodology is not inherently secure if the development community is too small to provide competent, and unbiased, security reviews of the software. A very large project, like Apache or Ubunut, is likely to fair well when compared directly to IIS and Windows. A smaller open source project, like a contributed module to Drupal, may be riddled with problems simply because not very many people took the time to look at it before deployment. That is one advantage of a commercial company, they (should) have a good QC/QA program to make sure bad products don't get shipped (they get sold to Microsoft who can ship crap with impunity ;-)).
Anyways, it should be an easy argument with NVD numbers to back you up and the concept that security through strong algorithms and good architecture is more important than security through obscurity.