Many of the 'potential buffer over-run' problems that were flagged against Linux were found by syntactic code analysis of the openly available source code. I have often wondered whether anything like the same was done on propriety OSs.
I don't know how much code you look at, but peer review, which is practiced by most software companies, does not make you immune to code defects. It may protect you from howlers (stupid mistakes or typos), but it is unlikely to protect you from complex logic problems unless you are prepared to spend more time analyzing the code that was spent writing it. But it has it's place.
The main difference in security between an OS like Windows, and a UNIX-like OS is the amount of time you have to be running a privileged account when using the system. I'm sure that if you were to look at most personal Windows XP installations, and probably Vista and 7 as well, the primary account used is an administrator account. This nullifies *ALL* of the actually quite good security model of Windows. It's not the design of Windows that is the problem, it is actually the way this design is implemented and (mis-)used in normal practice.
If you look at most Linux distributions, although the primary account is in an admin group of some sort, allowing the use of sudo, the accounts are not actually privileged in any other way. This means that for any infection vector, you *STILL* have to cross the privilege barrier in order to touch the OS. And if you are worried, it is easier still for an everyday account to be set up that does not even have this privilege. But that will not protect personal information or code that is installed and run from user-space, just the system. But in a multi-user world, I prefer to know that the basic OS is mainly immune from something somebody else is doing.
This is not complete protection. Anybody who thinks that one measure on it's own will provide total protection is a fool, but it is a fairly large first hurdle to jump for infection vectors involving users compared to Windows.
BTW, although I know that Android is based on Linux, I don't count it as a Linux for exactly the reasons you are thinking of. It still has privilege separation, but most of the code is installed and run in user-land.