Web defacement archive Zone-H.org has produced a comprehensive three-year report on Web Server defacements for 2005 to 2007. What makes the Zone-H archive unique is that the data is gathered from the hackers/defacers themselves and every defaced website is confirmed and mirrored on Zone-H permanently.
Contrary to popular perception, Linux/Apache websites gets broken in to far more often than Windows/IIS websites. Given the fact that Windows/IIS and Linux/Apache market share is comparable in recent years, the comparison is a valid one. The following is a chart I compiled from the Zone-H three-year report.
As it turns out, this has little to do with the fact that Microsoft IIS 6.0 has far fewer vulnerabilities than Apache 2.0. When we look deeper at the "Attack Method" data in the Zone-H report, it turns out that the OS and Web Server platform you run has little to do with how secure you are. What does seem to make all the difference in the world is how well you administrate the website and how carefully you write your web applications.
By looking at the trend in the last three years, it would seem that website administrators may have finally wised up to "File Inclusion" attacks. In 2005 and 2006, "File Inclusion" was the most likely way a website gets defaced but it declined to third place in 2007. The overall trend seems to be positive as website defacement peaked in 2006 and started to drop in 2007. The bad news is that password stealing or sniffing has spiked upwards in 2006 and 2007 and became the most likely attack vector.