Just look at website defacement stats and then divide by market share. You are far more likely to be compromised these days running a Linux server stack than a Windows one.
And here I thought that particular breed of ignorance was extinct in this day and age. Here's an education: OS and even web server software are pretty much non-issues for website defacement. Every major web server software, be it IIS, Apache, NGinix, or any of the various Java based servers (ie Tomcat) can be locked down so tight that the NSA would be jealous of their security.
When you actually dig into the statistics and look at how the attacks were accomplished it turns out that almost all of them came in either through a misconfiguration or through SQL injection. In other words bad administrators and web developers are to blame, not the OS or application.