RedHat has just released "Risk report: Four years of Red Hat Enterprise Linux 4"
This sort of thing is why I feel very good about selling and supporting RedHat Linux. You won't find any other OS vendor offering an honest look at the security of their software or producing such metrics.
RedHat Linux includes server, desktop, email, and web browser software which are all included in this analysis. In a production server one would only install a fraction of these software packages which removes many potential vulnerabilities.
Executive Summary: Top three riskiest packages and sources of potential security problems were mozilla, firefox, and thunderbird. These are all desktop software which provide very complicated functionality (thus more potential for bugs) which will not be found on a server. The riskiest server package was PHP (used to implement CMS systems like Drupal and Joomla) which has a special section of the report just for it. Over the past 4 years there was not a single worm/virus that affected RedHat Linux as long as you don't use PHP.
None of my webservers are running any of the packages which have had critical problems. So in theory I could have run my servers for the last 4 years and not patched a single time and been ok.