@ramblingsteve The kernel, Linux is known for having the best security record of all nontrivial kernels.

There is also security hardening techniques you can use to make a system extremely hard to exploit - for example SELinux (with SELinux, even if you find a root privileged escalation attack in a daemon, you cannot read or write to anything outside what the daemon is authorized to access, unless you find a way to bypass SELinux - which pretty much doesn't happen unless the SELinux rules set are wrong).

People like to count up the number of CVE's for all of the software in and that runs on GNU/Linux and then compare it with the count of CVE's for windows only and then say that windows is more secure because the number is smaller.

The concept of CVE's is to embarrass proprietary software companies so they eventually go and fix the security bugs rather than leave them for years, which isn't useful for GNU/Linux, as if you just let the developer(s) know of the bug, they'll fix it, or better you can just fix the bug and send the fix in and the developer(s) will merge it immediately as long as it's correct.

As a result, every single published CVE for GNU/Linux software is a bug that has long been fixed and usually isn't being actively exploited in mass, or is in known insecure software that is no longer maintained, while CVE's for windows are usually bugs that haven't yet been fixed for months, that are being actively exploited in mass.