More recently, Microsoft has worked to close this gap. I haven't seen a detailed survey of the issue since Ritchey's survey, but in my experience, Microsoft is meeting some success in IIS itself. (However, major problems, such as WebDAV from May 2003, continue to be discovered.)
The hacker community has taken a keen interest in exploiting IIS, given its widespread use, history of flaws and Microsoft origin. While both Apache and IIS exploit research is ongoing, it appears that the number of people attacking IIS is higher.
So, how should you decide whether to go with Apache or IIS? I advise that you focus on the one where your team has the most system administration expertise. Sure, Apache may be theoretically less vulnerable than IIS. But, if your team cannot administer an Apache box, you are hosed. A well-maintained IIS box is certainly more secure than a poorly maintained Apache box. Likewise, if your team has solid Apache expertise, go with that.
For more info on this topic, visit these SearchSecurity.com resources:
This was first published in October 2003