Viruses, trojans, adware, spyware… Windows lets all these enter your computer pretty easily. The average period of time before a Windows PC (connected to the Internet and with a default “Service Pack 2” installation) gets infected is 40 minutes (and it sometimes takes as little time as 30 seconds).
So you can either 1) install a firewall, 2) install an antivrus program, 3) install an anti-adware program, 4) get rid of Internet Explorer and Outlook (replacing them with Firefox and Thunderbird), and 5) pray that people trying to get into your computer aren’t smart enough to overcome these protections and that, if a security flaw is discovered, Microsoft will take less than a month to make an update available (and this doesn’t happen very often). Or you can install Linux and sleep soundly from now on.
As we have already said in the “virus” section, Open Source software (e.g. Linux) means more eyes to check the code. Every programmer on Planet Earth can download the code, have a look, and see whether it might have security flaws. On the other hand, the only people allowed to look at the Windows source code (its “recipe”) are people working for Microsoft. That’s hundreds of thousands of people (maybe millions) versus a few thousand. That makes a big difference.
But actually, it isn’t exactly a matter of how many flaws a system has, compared to the others. If there are many flaws, but nobody has discovered them yet (including attackers), or they are minor (they don’t compromise an important part of the system), attackers won’t be able to do great damage. It is really a matter of how fast a security flaw can be solved once it has been discovered. If a security flaw is discovered in an open source program, anyone in the open source community can have a look and help solve it. The solution (and the update) usually appears within a few days, sometimes even a few hours. Microsoft doesn’t have that much manpower, and usually releases security patches within about a month after the flaw has been discovered (and sometimes published): that’s more than enough for attackers to do whatever they want with your computer.