I'm
a big fan of the Honeynet Project (and a member of their board of
directors). They don't have a security product; they do security
research. Basically, they wire computers up with sensors, put them on
the Internet, and watch hackers attack them.
They just released a report about the security of Linux:
Recent data from our honeynet sensor grid reveals that the
average life expectancy to compromise for an unpatched Linux system has
increased from 72 hours to 3 months. This means that a unpatched Linux
system with commonly used configurations (such as server builds of
RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months
before being successfully compromised.
This is much greater than that of Windows systems, which have average life expectancies on the order of a few minutes.
It's also important to remember that this paper focuses on
vulnerable systems. The Honeynet researchers deployed almost 20
vulnerable systems to monitor hacker tactics, and found that no one was
hacking the systems. That's the real story: the hackers aren't
bothering with Linux. Two years ago, a vulnerable Linux system would be
hacked in less than three days; now it takes three months.
Why? My guess is a combination of two reasons. One, Linux is that
much more secure than Windows. Two, the bad guys are focusing on
Windows — more bang for the buck.
See also here and here. [Schneier on Security]