Windows 7 is pretty damn secure, perhaps more so than Mac OS X and Linux with a default install. The problem is all the common shortcuts people (in some cases are forced to) take to use the applications they need/want.
I still see regular end users routinely made administrators of their computers for no good reason, or due to sloppy software (hello, Intuit).
Absolutely. For most of the existence of Windows, even when it was notably insecure, the vulnerabilities were all the worse because most users routinely used "Administrator" as their default account. For many years this was in fact the default out of the box, so no wonder that it was such a common thing. This then precipitated the number of software applications that required Administrator permission to install or in some cases even to run, because it was assumed this was "normal" anyway.
Pwn2own doesn't work the way you think it does. The participants use prepared exploits. You can't infer anything about the relative security of different systems that both get exploited there.
Zero day hackers and the malicious Chinese hacker spies also use prepared exploits, so you can infer something about the relative easiness of finding exploitable holes.
Pwn2own may use prepared exploits, but researchers tend to go for the easy low hanging fruit, so there is a lot to infer from who falls on the first day etc.
In the major distros, Fedora and Ubuntu and OpenSuSE, a lot of packages, some of which aren't used by most users, sometimes default iptables rules, sometimes no iptables rules at all.
In newer, less friendly but more tech oriented distros (these aren't opposing forces, but in Linux they're misunderstood to be) like Arch, a lot less.
I still see regular end users routinely made administrators of their computers for no good reason, or due to sloppy software (hello, Intuit).