Linux and Windows can be equally secure when locked down properly.
The thing is, most people in charge of administrating servers don't know as much as they think they do, and thus a lot of stupid mistakes are made. I would trust someone who did nothing but read a MCSE test prep book to lock down a Windows Server box.
I would trust no less than an experienced systems programmer to lock down a Linux box.
Its not more secure if half the admins out there are too ignorant to know how to close all the holes that are inherent in it.
Desktop machine: 2 x Opteron 246, Asus K8N-DL, 2GB PC3200 ECC Reg., XFX GeForce 6600GT, 74gb WD Raptor, 2 x 19\" LCDs, Windows XP x64
Server machine: Intel P4 3.0GHz 2MB EM64T, ECS i865pe, 1GB PC3200, 36gb WD Raptor, Windows Server 2003
Laptop: Dell Inspiron 9100 (Intel P4 3.2GHz 1MB Prescott, i865pe, 512MB PC3200, Mobility Radeon 9700, DVD+R/DL Burner), Windows XP
Linux: P3 450Mhz, 386MB ram, Slackware 10.1 (Running mySQL/Apache)