Consider IIs 6 and Apache 2. It appears that Apache is considered (A++) more secure.
 Is this a myth or reality?

From http://www.securityfocus.com/bid/vendor/

Microsoft IIS 6.0:

2003-07 22:  Microsoft Multiple IIS 6.0 Web Admin Vulnerabilities 


Apache 2.0:

2004-09-13:  Apache Connection Blocking Denial Of Service Vulnerability 
2004-09-13:  Apache Error Log Escape Sequence Injection Vulnerability 
2004-09-07:  Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow Vulnerability 
2004-08-10:  Multiple Vendor HTTP Response Splitting Vulnerability 
2004-07-23:  Apache mod_userdir Module Information Disclosure Vulnerability 
2004-05-05:  Apache Web Server Multiple Module Local Buffer Overflow Vulnerability 
2004-05-05:  Apache Web Server SSLCipherSuite Weak CipherSuite Renegotiation Weakness 
2004-04-24:  Apache mod_auth Malformed Password Potential Memory Corruption Vulnerability 
2004-04-07:  Apache Chunked-Encoding Memory Corruption Vulnerability 
2004-03-25:  Apache mod_disk_cache Module Client Authentication Credential Storage Weakness 
2004-03-15:  Apache HTAccess LIMIT Directive Bypass Configuration Error Weakness 
2004-02-24:  Apache Cygwin Directory Traversal Vulnerability 
2004-02-07:  Apache mod_php Global Variables Information Disclosure Weakness 
2004-01-27:  Apache Web Server mod_cgid Module CGI Data Redirection Vulnerability 
2003-12-26:  Apache mod_php Module File Descriptor Leakage Vulnerability 
2003-10-29:  Apache Web Server Prefork MPM Denial Of Service Vulnerability 
2003-10-25:  Apache2 MOD_CGI STDERR Denial Of Service Vulnerability 
2003-09-10:  Apache Server Side Include Cross Site Scripting Vulnerability 
2003-09-05:  Apache Web Server FTP Proxy IPV6 Denial Of Service Vulnerability 
2003-09-04:  Apache Web Server Linefeed Memory Allocation Denial Of Service Vulnerability 
2003-05-06:  OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability 
2003-03-06:  Apache 2 WebDAV CGI POST Request Information Disclosure Vulnerability 
2002-11-05:  Apache /tmp File Race Vulnerability 
2002-09-27:  Apache 2 mod_dav Denial Of Service Vulnerability 
2002-08-16:  Apache 2.0 CGI Path Disclosure Vulnerability 
2002-08-16:  Apache 2.0 Path Disclosure Vulnerability 
2002-08-16:  Apache 2.0 Encoded Backslash Directory Traversal Vulnerability 
2002-07-17:  Apache httpd 2.0 CGI Error Path Disclosure Vulnerability