Re: ESX is not part of vSphere (ESX != ESXi)
ESX4 is the previous major version and is still maintained. As per the above a comparison with Server 2008 is valid.
For ESXi, they just ditched that legacy Linux console rubbish as an interface and moved to Powershell. If you prefer to consider ESXi, then version 5 already has 177 known vulnerabilities: http://secunia.com/advisories/product/39098/
Comparing to Windows Server 2012 - which is a much larger product, but only has 25 known vulnerabilities - http://secunia.com/advisories/product/42761/
For the record, Hyper-V vulnerabilities are NOT equivalent to Windows Server vulnerabilities. Hyper-V Server includes pretty much only the Windows micro kernel plus a few low level libraries and some drivers.
Only a single DOS issue in 6+ years is a pretty impressive security record. It was only exploitable by authenticated local users, so it was not a 'serious' issue at all.