UNIX is inherently harder to crack, and of course apache is generally run on cheap UNIX or more specifically, linux servers. IIS of course runs on Windows, which is the subject of more attacks and let's way, WAY too many services run as root, or whatever the root equivilent is on Windows.

Mac OS X is based on UNIX right? BSD or something? That's likely a big part of the security in Mac OS, being based on something that was a multi-user operating system for many, many more years than Windows ever was. UNIX has been run on major networks right from the start, wheras Microsoft didn't even build any usable networking functionality into their OS until good old Windows for Workgroups 3.11.

At the business level, NT was really the first honest network-ready OS from Microsoft, to my knowledge. UNIX had already been around for a million years when NT came out, and it was designed from the start to be a secure, multi-user OS enterprise, unlike Windows which was designed from the start to be a single-user desktop OS. I think Mac's extensive push of Macs in the classroom and universities helped drive their focus for network security a lot sooner than Microsoft.