Apache 2.2 actually seems fairly decent.
Apache 2.0 wasn't very good in terms of security.. they had a huge change of the archatecture and did a lot of realy realy big changes to make it much more capable. Compete overhaul of the codebase and made it much more capable of handling multithreads and all sorts of fancy stuff.
Apache liked it because it made their product much more impressive.. most regular folk hated it because they aren't going to need any of the new features and it broke compatability with their existing add-ons and everybody knows that big changes bring big bugs, especially with Apache pushing on what their capable of.
It's hoped that with Apache 2.2 it's had more time to mature.
There are some things to keep in mind about Apache:
1. Most people that are doing big sites are still using 1.3. There was features that are missing in 2.0 that a lot of people use, but are there in 2.2
2. 1.3 is still maintained and fairly active.
3. A lot of 'real' sites don't actually run vanilla Apache. They tend to run something that is customized for their environment or bought from a commercial vendor.
Even goes so far as to say that many Linux distributions aren't even using Apache 2.x by default.. but they will probably use 2.2.
For instance in Debian Stable when you go: "apt-get install apache", you get 1.3.3
For instance Slackware released it's latest Slackware 11 just recently and it uses Apache 1.3.x by default also. These are both the latest releases of those distributions and are very commonly used by professionals that can choose the OS they use.
A thing to keep in mind about IIS 6 is that in it's default configuration it doesn't actually do much. It doesn't realy do much by itself. Pretty much it can serve static html pages. As soon as you as a administrators start enabling features, like for example the ability to do ASP.NET, then you start to run into software that has multiple vunerabilities in the past. So it's not like 'oh the last IIS vunerability was in 2005 so if I don't apply any patches then my system will be secure'. Nope, doesn't work like that.
And it's not that much different with Apache. If you look at it the large number of vunerabilities comes from Apache_mod this or mod that.
If I choose to run Apache 2.0 + PHP for a website then that vs IIS 6 looks like increadably large amounts of crap.
If I choose to run Apache 1.3 + Perl or Python for a website then that vs IIS 6 doesn't look so bad, when you enable enough features to get equivelent functionality.
So you have to analize the situation a little bit more critically then just # of vunerabilities vs # of vunerabilities.
The way Microsoft arranges for it's vunerabilities to be disclosed leads to very very misleading statistics vs how Open source community release advisories.
For instance compare:
Redhat AS 3 (released 2003):
http://secunia.com/product/4669/?task=statistics
vs
Windows 2003:
http://secunia.com/product/1173/?task=statistics
Ok it's 310 Redhat vunerabilities vs 102.
Pretty damning, right?
Wrong.
Look at the actual vunerabilities for the systems..
Gzip, KDEgraphics, imagmagick?? These are reported as _remote_ vunerabilities. I doubt they are realy exploitable, just potentially. They are just bugs in those programs that could or could not be a real problem.
Now look at Windows 2003.
What software does 2003 ship with?
Internet Explorer, ASP.NET, IIS 6 are some examples.
Exect for IE there hasn't been a whole lot of exploitable holes aviable for those things, but they do exist. So look at the advisories for 2003...
Were are the ASP.NET vunerabilities? Were are the IIS 6 holes?
They are no were to be found. Because I guess they aren't part of 'Windows 2003' product?! I have no clue
Look at IE. A hundred and six vunerabilities for IE 6. In 2006 there have been 14 vunerabilities, many of them criticial, many of them unpatched.
NONE of those show up in Windows 2003. Out of 106 advisories only about _3_ show up as Windows 2003 vunerabilties?
With Redhat they list seperate advisories for Seamonkey and Firefox, even though it's the same problem for both of them.
I mean, seriously, this is bad. This looks fine on paper and on good when your doing Linux vs Windows arguements.. but as a administrator it makes how Microsoft catagorizes (or at least how Secunia arranges the advisories) virtually impossible to actually determine what problems your system has and what needs patching. It's nearly worthless.
It's the same thing with Apache vs IIS, but not quite as bad. But still. Even when you look at the statistics intellegently and not now they are mis-represented by Secunia then IIS 6 still is quite nice security-wise. Much better then Apache 2.0. Also IIS + ASP.NET is very much nicer then say Apache + PHP.
This is were currently most Linux distributions do a great disservice to a lot of people. They are much more interested in shipping the latest and greatest with all the spanking new features rather then concentrating on what matters. There are only a couple popular ones that I feel do a decent job. Slackware, Debian Stable, Redhat.
Of course if security realy mattered for webpages to most people we'd all be using OpenBSD + their Apache version + Perl or Python.