It's always difficult to get into simple "which operating system is more secure?" matches without really understanding computer and operating system architecture because not all OS-level security vulnerabilities are created equal.
If you count the number of security vulnerabilities in Mac OS X over the past twelve months and the number of security vulnerabilities in Windows over the past twelve months, the numbers are pretty similar. But Windows is completely overrun with viruses, and the Mac has none. Why? Many people, especially people who do not understand computer security, believe that if both operating systems have the same number of security flaws, then it makes sense that they should both be about as vulnerable to viruses, so the fact that there are more Windows viruses than Mac viruses must be because there are more Windows computers than Mac computers.
But not all security vulnerabilities are created equal. In order to be useful for spreading viruses or worms, a particular security flaw must have several very special characteristics. It must, for example, be remotely exploitable, which means it can be triggered by someone who is not sitting in front of the computer--for example, by sending a special code to a Web browser, or by causing a special string to be sent to a particular TCP/IP port. It must allow arbitrary code execution, meaning that the attacker must be able to use the security flaw to run any code he wants it to--a security flaw that simply causes a Web browser to crash, for example, but does not allow the attacker to run code on the affected computer, is not useful for spreading viruses or worms. And finally (and most importantly from a standpoint of attacking Mac OS X), the code that the attacker runs must run with elevated privileges, and be free to affect system files or other files on the computer.
If you look at a list of security vulnerabilities on the Mac and on Windows, you quickly see that a good many Windows vulnerabilities are remotely exploitable, whereas fewer Mac OS X vulnerabilities are. The vast majority of Mac OS X security exploits require the attacker to be able to physically sit down in front of the computer and use its keyboard. Security vulnerabilities that can only be exploited by a local user are still a big concern, especially for businesses where many computers might be used by many people, but they are not useful to people who want to spread worms or viruses.
There are a handful of Mac security vulnerabilities that are remotely exploitable, but most of these are "denial of service" attacks, meaning they can cause the computer to crash, but they can't be used by the attacker to run code on the computer. And of those attacks which are potentially remotely exploitable and allow arbitrary code execution, there is one fundamental difference between Windows and OS X that has so far stopped every OS X virus in its tracks: the operating system requires the user to type an Administrator password before a program can be run with elevated privileges.
To date, not one single security flaw has been found in OS X which is remotely exploitable, allows arbitrary code execution, AND allows a program to change system files without the user typing in the Administrator password.
However, there are many such Windows vulnerabilities, in part because Windows does not enforce the same kind of division between "user" and "administrator" that Mac OS X does. That is the great Achille's heel of Windows. many Windows programs and processes, even if they are run from a limited user account, run with full administrator privileges at all times. Bizarrely, and catastrophically from a security standpoint. Internet Explorer is one of these. Internet Explorer is a program that always has full access to all parts of the system at all times, even if the user is running from a limited account. That means any security flaw in Internet Explorer can be used by a hacker to take over complete control of the system, without the Windows user needing to type in an administrator password. This is why Internet Explorer can be used for "drive by downloads" (which infect a computer whenever the user visits a certain Web site). This is also why a Windows user can become infected by reading a specially rigged email, even without downloading the attachment--because in Windows, when you read an HTML email, the Internet Explorer libraries are used to interpret the email, and the Internet Explorer libraries run with full system access.
Vista makes things better--but not by much. Microsoft claims that in Vista, Explorer does not have full system privileges any more. That is only partly true. What actually happens is that a supervisor program sits on top of Explorer and decides what level of system access Explorer should have. Unfortunately, there are vulnerabilities which allow a malicious user to trick the supervisor into thinking Explorer should have full system access when it should not...
Vista also has introduced a security option that creates a stronger division between "user" and "administrator" functions, like Mac OS X. However, many reviewers have said it is so badly designed that it is virtually non-functional, and that most Vista users turn it off. (I only know one Vista user, and she has turned it off.) So many normal, day-to-day operations of a normal, everyday computer program require access to what Vista considers "privileged" system resources that in practice, the password prompt comes up again and again and again and again--dozens of times a day, even when you're not installing software or modifying the system. For example, on my friend's computer, it comes up every time she starts Photoshop. So in practice, people tend either to stop reading the dialog and just always type the password because they get so used to seeing the prompt, or they shut it off completely. (There is a Mac TV commercial that makes fun of this, in fact.)
