Re: The real culprit
Most of the rest is Windows, and I'm willing to bet you aren't going to say Windows security is superior.
You might lose that bet.
The Windows object access control system is finer-grained and more consistent than the traditional UNIX one. I won't say it's "superior", because that's a meaningless term in this domain - a security system can only be judged against a threat model, so it's pointless to claim one is superior or inferior in the abstract, and that judgement is far too complex to reduce it to a single dimension anyway.
Also, the Windows system has proven to be sufficiently complicated and confusing to be ignored by most administrators (note that most Windows administrators are non-technical end users), and a security system that's not employed doesn't do well under most threat models.
But its design does have advantages over the simplistic traditional UNIX one under many realistic threat models.