It could just be an SQL injection vulnerability or arbitrary shell command execution vulnerability in some PHP plugin module of some web app framework, yet Linux as a whole gets blamed.
The thing is that Linux these days means what your distro ships with it. You could argue that Linux itself is just the kernel which is not very vulnerable, but also useless without programs such as Apache, PHP etc.
If Linux is "what your distro ships with", then you should cut it some slack, because last I checked distros didn't ship with broken (exploitable) PHP code on a public facing webserver.
Microsoft has put a lot of effort into lowering the attack space with Longhorn and Linux distros could probably learn from this.
I don't really agree with this point, but I'm willing to be swayed. Can you give an example of something that MS is doing that usefully improves security, and which could be applied to a linux server system?