"This is surely true, but at least on Windows the central security holes do not lie in Windows itself"

They don't ? IIRC, stuxnet was an autorun exploit of some kind and the recent unpleasantness was all based on built-in SMB functionality ... right ?