At least that's what the article is trying to say.

Couple of problems with the article. First, in terms of sheer quantity, there are a number of off the shelf virii that any two bit script kiddie can distribute. It takes much more work to find an exploit for software that runs on a limited number of servers. The custom software may (or may not) be as vulnerable as MS software, but it would take some work by a true cracker to expose the weakness, rather than some bored teen.

Second, security should involve concepts of layers of rings. An application that somehow exposes it's specific information is not nearly as damaging as an internal Operating System malfunction. The damage from an errant application is limited to the exposure implicit within the application. A penetration into the OS, however, amounts to any and all information within the server becoming available - as well as all the information in which the server has trusted domain within the network. Why spend time trying to figure out a custom app when you can bypass that work and just directly go for the least-common-denominator?