Is IIS or Apache more secure?

Continuing the theme from my previous column on the relative security of Internet Information Service (IIS) vs. Apache, I've come across more studies to support my initial conclusion.

If you remember, I was questioning the findings of a Google report that stated that IIS Web servers were twice as likely as Apache servers to be hosting malware. I wasn't refuting the data, but I was questioning the conclusion, given the fact that the report's authors calculated their statistics using server IP addresses only.

Since a single Web server can, and often does, host multiple Web sites, the published results would be skewed by any server hosting multiple Web sites. And since Apache Web servers are often used to host hundreds to thousands of active sites (and IIS is less likely to host sites on the same scale), I felt the study underreported the prevalence of malicious Apache Web sites.