I'm the security lead for DotNetNuke so thought I'd post a few points here. I dislike "attack" documents that list numbers of vulnerabilities to justify the security of a platform, as many other elements come into play, but I'll provide a few details to allow users to make an objective decision - primarily as when a vendor/hoster gives an opinion such as "microsoft is insecure" this is subjective and the only way to combat that is with objective points.
There is certainly a long-standing (and incorrect) feeling that Microsoft and Microsoft products such as Internet information services (IIS) and SQL Server and not as secure as other products (mostly from other OS stacks). Much of this stems from large scale issues such as Nimda/Code red, which were serious problems - but occurred in 2001, and are no longer relevant IMO. After that fiasco, Microsoft introduced their secure development life cycle (SDLC) which all products go throug. The first products that went through the process showed huge reductions in vulnerabilities, with Windows Vista having a 45% reduction over XP in its first year after release, and SQL 2005 showing a 91% reduction over SQL 2000 in its first three years after release(http://www.microsoft.com/security/sdl/benefits/measurable.aspx. The success of the SDLC has led it to be hailed as the industry leading software security assurance process, with a number of secure experts suggesting that other vendors such as Apple have an inferior process and should consider using Microsoft's SDLC (http://news.softpedia.com/news/Apple-Software-Security-Inferior-to-Microsoft-s-Says-Iconic-Hacker-139942.shtml)
Some of the misperception also comes from classic asp, which predated the SDLC and had a number of serious issues. However asp.net (which went through the SDLC) has an excellent history, with only 9 issues found since release in 2001, all of which are patched. Only 2 vulnerabilities have been reported since 10th October 2007.
The other large application server on the market, PHP, has a completely different story. It has suffered from 217 issues in its lifetime (September 2009 to date) , including 34 so far in the first 9 months of 2010.
SQL Server also is similar, with sql 2000 suffering from many issues but SQL 2005 and above (again SDLC'ed products) having an excellent record, much superior to other databases such as oracle or mysql. The statistics on secunia make interesting reading - SQL 2008 (http://secunia.com/advisories/product/8355/?task=advisories) , MySQL5 (http://secunia.com/advisories/product/8355/?task=advisories), Oracle 11 (http://secunia.com/advisories/product/18050/?task=advisories)
Whilst numbers of issues provide some context for security, far more important (IMHO) is that products have a security process. Every product will have bugs, some of these will be security related, what's important is that an effective process exists to deal with this. With DotNetNuke we have a dedicated security team that responds to mails sent to our security@dotnetnuke.com alias. This team helps to validate reported issues and work on solutions for them, frequently with a turn-around measured in days. In addition we work on providing security guidance and documentation (primarily via our blog and the http://security.dotnetnuke.com homepage), as well as looking to enhance the security in DotNetNuke by adding additional layers of security at the core level (a "defence-in-depth" approach) and proactively auditing both the core and core modules for security issues (in fact all core modules must pass a security audit to be released). As others have pointed out, keeping your releases up to date is usually the best thing you can do to remain secure (we still get reports of hacks from the fcklinkgallery issue we fixed 3 years ago - imagine how long it would take to hack your machine if you hadn't applied any service packs/updates in 3 years?)