At some point the concept of ~Microsoft as a large target even if there were relatively few serious vulnerabilities due to market share~ has been topic of discussion in all of the ITACS classes.
Tenable uses current scan data and looks more as analyst than simply ~scanner~ to highlight the volume of risk associated with visibly vulnerable systems.
There is a great graphic demonstrating the effect of unaddressed vulnerabilities stacking over time and what appear as relatively small individual threat surfaces compound as legacy software remains in place, even when unused and no longer needed.
The presenter leads by explaining the need to update the CVE system of classification (most notably a *critical* level and measuring risk beyond the compromised system)
http://static.tenable.com/translations/en/Vulnerability_Intelligence_Report-ENG.pdf