It's been several weeks since Microsoft (Nasdaq: MSFT) 
launched Windows Vista for consumers. Back during the promotional push, Microsoft's Bill Gates was dogged by questions about Apple (Nasdaq: AAPL) , including Apple's popular "Get a Mac" television ad campaign.
Imagine the guy's irritation: He's in the middle of trying to promote his shiny new operating system, which he wants everyone to know is leaps and bounds better than XP, and pesky reporters keep prodding him with questions about Macs.
Something had to give.
In an interview with Newsweek's Steven Levy earlier this month, Gates ignited the ire of Mac enthusiasts when he said to Levy:
"We made it way harder for guys to do exploits. The number [of violations] will be way less because we've done some dramatic things [to improve security] in the code base. Apple hasn't done any of those things. ... Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine."
Of course, the blogosphere promptly jumped into the fray, lobbing insults, jibes and exaggerations before settling down into either a Microsoft or Apple camp.
What about now? Is there any truth behind Gates' comments?
Security Significance
First of all, security guys don't necessarily break the Mac every single day, and they certainly do not come out with an exploit that can totally take over a Mac running OS X. Gates, as Levy noted in a follow-up blog post, was referring to the "Month of Apple Bugs," a Web site that posted a bug per day during the month of January.
"The 'Month of Apple Bugs' was kind of an interesting thing, but ... it was not overly security significant," Matt Watchinski, head of Sourcefire's vulnerability research team, told MacNewsWorld. "But I think you're going to start to see more vulnerabilities on Mac OS X as it becomes more popular."
Popularity, it turns out, is perhaps the most important security factor in today's changing hacker world.
"The guys at Microsoft are largely victims of their own success -- they must find it incredibly frustrating," Graham Cluley, a security technology consultant for Sophos , told MacNewsWorld. "Because they've managed to sell so many copies of Windows around the world, that's what the hackers target. Hackers don't feel they have to go through the effort of writing Mac-specific exploits. "
Hackers, Inc.
Only a few years ago, hackers were playing around for fun and glory, but today it's all about economics.
"What we're seeing right now is malware for profit," David Perry, director of global education for Trend Micro (Nasdaq: TMIC) , told MacNewsWorld. "It's written by a different group of people -- professional programmers in the employ of organized crime. We're talking about criminals today who are only going to attack where they are getting responses."
Perry also noted that new vulnerabilities for Vista might not show up for months, maybe longer, often because these early vulnerabilities are being bought and sold on the black market. Perry said he is aware of a recent sale that reportedly went down for US$50,000.
If popularity illuminates vulnerabilities or actual exploits used in the real world, where does that leave Vista? Right now, like OS X, Vista is a niche operating system because so few people are using it compared to XP.
Vista Revealed
"Vista is a good step forward in terms of security, without a doubt," Cluley explained. "They've re-engineered Vista from the bottom up to secure it against many of the threats Windows was suffering from the past. So they now have things like kernel patch protection, the controversial PatchGuard utility, which will block a lot of existing rootkits from interfering with the low level of the operating system. You have user access control, which intercepts some of the behaviors which users are trying to do and asks them questions about whether they really want to do it."
In addition, Cluley added, Microsoft has reduced the opportunities for buffer overflows, which has often been a conduit for exploits. "And Microsoft has also radically revamped Internet Explorer ... they've built in things like phishing detection," Cluley noted, "So it's much better at telling you if you're going to a dangerous Web site."
While experts tend to agree that Vista has made significant improvements, the question of comparison with OS X tends to shift to more significant yet tangential issues.
Apple's Questionable Fix Process
Apple's built-in Software Update is easy to use and works well, but Apple is a secretive company and doesn't share its internal machinations. What happens behind the company's walls in Cupertino, Calif., is anyone's guess.
Microsoft's security process, by contrast, has become extraordinarily open. Instead of worrying about security late in the application build process, Microsoft now works to build in security features in every step of development.
Plus, Microsoft can now boast that its Microsoft Security Response Center is dedicated to finding flaws, publishing security bulletins, and monitoring emerging security incidents. Because of its past, Microsoft also has extensive experience in producing security patches and rolling those patches out to millions of diverse customers worldwide.
If OS X users ever face a massive security exploit, does Apple have the ability to create and deliver a fix quickly?
"I've been seeing Apple fixes come out in a very timely manner, but they haven't had a test under fire -- we haven't had a widespread attack," Perry explained. "As long as Apple is fixing things that are still theoretical, how can we judge them on being timely or not timely? I've seen Apple come back and make some comments on some of the vulnerabilities that have been discovered and say, 'Yeah, this is a flaw, but there's no way to make it into an attack.'"
The Biggest Bug of All
"Vista is more secure, but in terms of offering dramatic improvements that Mac OS X doesn't have, we don't see that the needle has moved all that much," Michael Romo, product manager for Symantec's (Nasdaq: SYMC) Macintosh Group, told MacNewsWorld. "New Vista features include parental controls, phishing protection in [Internet Explorer 7], and user account controls; however, even Microsoft itself recently stated that user account controls don't offer direct security."
Perhaps the most important point these days is that most attacks are all about social engineering -- tricking users into revealing account or identity details.
"We shouldn't focus too much on the vulnerabilities in operating systems because the biggest bug is in people's brains," Cluley explained. "If we can upgrade that, we'll have a much more secure computing environment."
Talkback: 
