When Steve Ballmer has to compare Windows Server 2003 (MS's current offering) to Red Hat 6 (Red Hat is shipping or about to ship version 10) to score points in a Cert Security Advisory Shootout, you can just smell the fuzzy math a mile away. If he could make the claim stick against more recent Red Hat's (maybe the versions Red Hat is actually shipping today) wouldn't he have? Also he says "4 to 5 times" the number of vulnerabilities for Red Hat compared to Windows. We'll assume it's 4 since he doesn't just give out a number, and that's not all that bad compared to Windows 2000's 17.
Ballmer may be referring to reports like this from the Aberdeen group (full version requires free registration. If that's the case, then the number for open source is 16 not, "4 to 5 times Windows Server 2003" but exactly 4 times. And that's all open source. I doubt very much if Windows Server 2003 cen keep the number down to 4 with every conceivable windows product installed. The Aberdeen report does quote a total number of 7 advisories affecting MS products for the same period.