A given bug in a GNU/Linux distro tends to affect a single piece of software which any given user may or may not have installed, may or may not be using, and/or may or may not be using in a way that exposes them to the vulnerability. There are classes of bugs for which this is not true, mostly affecting the kernel itself, but these are fairly rare.

Bugs affecting Windows frequently exploit features which are deep and broad, have profound systemic effects, or are easily exploitable on large classes of systems. The Sapphire/Slammer worm comes to mind -- you wouldn't think that the Microsoft SQL Server would be a widely installed desktop component, but as the Desktop Engine, it was. http://en.wikipedia.org/wiki/SQL_Slammer

Other factors affecting this:

With Linux, I have one-stop shopping for most of my security updates affecting virtually ALL software on my system. Updates are atomic, can generally be applied without rebooting, and (due to nearly two decades of process improvement and strong policy) nearly always work. There are differences even among distros -- I find Debian tends to have the most robust practices, so long as you stick with stable, RHEL is a lot more hit-or-miss. This is a direct consequence of Debian Policy. Read it and understand it.

Linux software components tend to do one thing and one thing well. Rather than ship kitchen-sink "Enterprise Solutions", most Linux software and subsystems focus on a single task, are principally controlled and configured via commandlines and textfiles (lending themselves to scripting, version control, and configuration management generally, hence, better and more consistent processes). Again, not uniformly true, with GNOME (not a server package) and Systemd being notable exceptions.

There's an unprecedented level of transparency. Even as a mostly shell-tools kind of sysadmin, I can directly monitor system state through shell tools, strace, and /proc. Even finding myself on Linux-like environments (e.g.: Mac OS X, Solaris) lacking all of these features, I feel their absence profoundly. There's little about a process or system I can't examine directly and/or log.

There's more out there. If you're not willing to be convinced, there's little I can say or show you that will change your mind. But you're more than free to do your own legwork.