An interesting study was presented at the RSA Conference this week.
Two researchers compared Windows Server 2003 and Red Hat Enterprise Server 3. Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk — the period from when a vulnerability is first reported to when a patch is issued.
Findings: Windows setup: risk window of 30 days Red Hat setup: risk window of 71 days
The study was done by Richard Ford, a professor at the Florida Institute of Technology and Herbert Thompson, director of security research at Security Innovation Inc.
"That's a very surprising statistic, and I must say the first time I saw this statistic I thought you messed with my database", commented Dr. Ford.