The traditional response has been to point out that Apache has a much larger market share than IIS yet IIS has many more security problems, exploits, viruses, etc. than Apache.
I just read on https://slashdot.org/ that there is a virus going around attacking Windows systems through MySQL. I don’t know the details of how it does it but apparently it has already found and infected quite a few Windows machines. You would think Windows servers running MySQL would be pretty darn rare, and you would be right. This is another excellent example of how popularity is not necessary for a platform or specific software combination to be targeted for viruses.