Re: How is this any different than anyone else's OS?
" Is a lengthy list of security fixes a good thing (because a lot of stuff is being found and fixed) or a bad thing (because there were so many issues before)"
Always, always, always a good thing.
No-one writes perfect code. Any complex software is therefore riddled with bugs automatically - be they typos in the UI or an escalation of privilege vuln that allows complete remote takeover, there's usually dozens of bugs of each type. If you don't have long lists of security fixes, then either a) your software is insecure as hell and people are going to attack the hell out of it, or b) your software is insecure as hell but no-one bought one so no-one is bothering to write attacks on it.
Apple from the 1990s very much fell into the second camp; their wafer-thin market share and the fact that no-one would dream of storing any useful data on an Apple machine at that point meant there was simply no market for attack vectors, so no-one cared to look for them. This is where we get the myth of Apple security from - the castle was made of wood and was missing two walls, but there were no invaders, while MS at the time (who weren't much more secure)were being constantly bombarded.
Microsoft learned from that and actually do spend a hell of a lot of resources on security since then; their problems (much like Android's today) largely stem from the sheer size of their market share encouraging most malware writers to target their OS. Conversely, Apple largely decided that the lack of viruses and hacks on Macs was due to their own genius. This is why Eugene Kaspersky said Apple were a good ten years behind MS on security - he didn't mean technologically, he meant culturally. Apple's culture by about 2010 was all about making access easy and avoiding the user being forced to jump through security hoops, at a time when people found their Windows machines popping the UAC every time they wanted to open a program and most Linux distros demanded a sudo for more or less anything more involved than opening the web browser. The lack of annoying sec checks appeals to users... but is exactly the sort of thing that was regularly slammed by security professionals.
Apple have made some good strides in this in recent years, but tbh some of their security practices flagged sine 2007 have been face-palming embarrassing 1998 stuff. The overwhelming faith placed in the walled garden, for example, is conceptually utterly wrong. Good security assumes that your opponent has information you don't, and so will be able to breach your security (both GCHQ and the NSA, for example, run on the assumption that their security is permanently compromised and all internal network comms are being intercepted by rival agencies).
I generally divide attackers into three categories - category 1 covers 95% of attacks, and is generally script kiddies. A decent firewall, antivirus and antimalware will offer complete protection against these guys, and they're also the group which the walled garden protects you against. Category 2 covers 4% of attacks, and these are seasoned professionals who really know what they're doing; they use zero-days, social engineering and have some serious coding clout. These guys are genuine criminal hackers, and they're the ones that you need good, well-trained security professionals to combat. These guys ignore Apple devices not because they can't breach them, but because there's much, much better returns to be had from targeting Android and Windows machines. Why waste a week finding hacks for the iPhone when you could hit 9 times as many people on Android for the same amount of effort?
Then there's category 3, who cover about 1% of attacks and you simply cannot defend against them, only attempt to detect what they did after the event. These are the guys who don't just use zero days; they discover them and will deploy multiple examples in an attack; they're the kind of guys who can write a virus that targets a specific set of serial numbers for centrifuges made in a small geographic area between two dates and so shut down the Iranian nuclear program. They generally have state backing, and you're not really going to be able to stop them short of air-gapping, custom O/Ses completely divorced from the OSI model and generally just preventing any means of access. The main defense against these dudes is simply not being a worthwhile target, since governments mostly spend their time hacking each other and ignoring the rest of us.