I like the 4-point concept you noted. But, getting back to some basics, I think there are additional reasons for the low occurrence of vulnerabilities.
The Attack Surface
From a security stand-point, the greatest attack surface is always going to be the most likely target to produce a favorable outcome. In military terms, it's easier to hit a larger attack surface than a smaller one; EG: putting a 50-cal projectile through the top of a beer bottle is far more difficult than tossing a grenade into a fox hole.
We all have to justify our time output for likely success; if you never hit a target, the game becomes less productive towards the goal. This probability calculator must also apply to those that make viruses. Windows OS is the biggest target. Should Linux ever get to that place it may represent the greatest likelihood of attack success.
But, there is another important factor as well...
Corporate vs. Open Source Development
Developers know what to do and what not to do. Corporations need to release on a date though; software ready or not. A release date is not chosen for the greatest good of the software/product but by quarterly need to keep the executives off middle management backs; everything rolls down hill.
Open Source developers build with purpose and don't release until that purpose is met. They understand the importance of commenting their code, for example, so they don't forget the purpose of a code block and accidentally remove it at a later date during a rewrite. These comments serve as long-term memory and ultimately a set of requirements for the next go-round of development. You would be surprised how many large corporate development initiatives forgo this simple but important concept in the interest of time.
Then there are the 4 points you've noted. Only the most competent can achieve this kind of ninja-like movement. The corporate types could do this as well if they weren't trying to meet other deadlines.
It should be noted too that MS has less than a thousand developers and testers in their offices while open source projects will allow test results and bug reports from anyone in the world. Who has the bigger staff?
The last point is Software Regression
When an open source project puts in a fix it's in forever. Not till the next release or a new version - forever. A test case is added to cover the fix for the exploit and test automation is run on every subsequent build. Simple concept rarely happens in the corporation. In open source projects, if you see an exploit you're only likely to see it once and never again.
Security vs. Usability
The security design is the most important thing though. When a virus comes to the desktop the differences between Windows and Linux is clear:
1) Both accept email and store contents in a temporary location while you're reading a message. Linux stores them in /tmp and Windows, in a folder deep in the users applications directory.
2) During this temporary storage (pending user forward/reply/deleting the message) the difference is:
*Linux stores message and payload without the ability to execute.
*Windows stores message and payload with the ability to execute.
*This assertion is testable, test it.
Security vs. Usability is usually the argument I get at this point - not an issue. My Linux email works without the security gap just as Windows does with it.
This one security measure is (more likely was) the single greatest problem contributing to virus execution. Seems like a simple fix. Apparently, since Microsoft hasn't fixed it in 20 years, it's more complicated than that.
Either way, the easiest way to get a virus is to open Outlook and start forwarding joke emails. You'll find out just how funny they are soon enough.
A heavier reliance on web-mail would fix most of these problems; then employ one server-side solution to scan emails for everyone before viruses make it to the desktop. I use a combination of postfix/greylisting (though it's more complicated that that) to filter messages before they ever hit MS Exchange.
Then you're (mostly) only left with web-based attacks, malicious scripting embedded in web sites; it's the one thing facebook and porno sites have in common.
After that, it's going to boil-down to a little training and common sense.
Good article, Jack
Keep Up with TechRepublic