You argued that Windows was targeted solely because of its high market share. I'm drawing a comparison to another platform with high market share; there simply wasn't anything comparable ten years ago. And it is not obvious to me that it's not a valid comparison; Microsoft were a huge company who had been developing Windows for fifteen years at that point. Android is a lot younger, so you could just as well expect it to be less mature and therefore less secure.

And yes, I know it is possible to run it without being compromised. You obviously knew what you were doing; millions, even tens of millions of others didn't know and wound up with their computers zombified into botnets. That wasn't all because of their ignorance; there were times when a newly installed XP machine would be compromised less than fifteen minutes after being connected to the internet, which wasn't enough time to install the patches it needed. That can't be considered that user's fault, especially when they've just sat through half an hour of being told how they're installing The Most Secure Version Of Windows Yet!

> Of course they had to do all that. The Windows users back then were generally not very savvy...

Now you are missing my point. Microsoft didn't have to do anything. They could have built an operating system that was harder to use but more secure. I contend that it's even conceivable that they could have built an operating system that was roughly the same for ease of use, but still more secure; maybe they'd have been slower to market or had to compromise elsewhere. The point is that security was not a priority for them for years, they obviously just weren't that concerned. That may ultimately have been the right path for them, because they arguably didn't pay a high price really, but I don't personally consider it the technically best course.

> My point is that what is possible today, was not possible 10, 15, or 20 years ago both from a tech and user point of view... Just because someone can do OS security good today, dosn't mean you can blame someone else for not doing it good decades ago.

I think this is where we fundamentally disagree. I don't see why you think security is only something that can be achieved now and why it couldn't be ten or fifteen years ago. In the Unix world, people have known not to run as root for decades; Microsoft chose to ignore that for a long time and ultimately have been forced to shoehorn it back in for Vista. They could have done that in XP, if not long before; it certainly had the capability for it, they simply cut that out of XP Home and chose bad defaults for XP Pro.

As of ~2008, a very competent technical friend and co-worker had fired up a virgin WinXP instance, on the corporate intranet, to access some HR website which was strictly MSIE only.

Within the 15 minutes that instance was live, it had been compromised.

Anecdata, from a mythical extraterrestrial at that. But I'll stand by that and his experience.