OS X Security is a pretty fun topic for me, because I love watching the carnage when people fight.
Before I register my opinion, I need to be clear that I've been operating almost exclusively on a Mac since OS X came out. I grew up in Unix, and never liked the lack of usability in Windows, so it was a good fit. However, I don't have any particular interest in making Apple look better than it really is, particularly when it comes to security. So I don't really consider myself a "fan boy". But I do know plenty of people over in Apple, and have some insight into what their product security team looks like.
Apple and it's fan boys will talk about how their platform is more secure, because there is so little malware for it. Security people will talk about how there are plenty of vulnerabilities published for OS X, and that it is certainly not more inherently secure than other operating systems.
Both sides are correct! Yes, there are plenty of vulnerabilities in OS X. I wouldn't necessarily say it's an undue number (though it's always alarming when security researchers find vulnerabilities by the dozen)... we all know secure software is difficult to write, and there are going to be problems. And in anything as large as an operating system, there are always going to be more security holes to find.
Comparing OS X to Windows directly here, Apple has not spent the massive amount of money on software security that Microsoft has. But, Microsoft spent a lot of money being pioneers and did start from WAY back (they used to have horrible security)... it's not fair to directly compare spend. Still, Microsoft has much more mature and better processes. I think they don't spend as efficiently as they could here, but they certainly spend a lot to make up for it.
And, the long-standing notion that Unix (thus OS X) is more securely designed than Windows is mostly a non-issue these days. I say this in part because the security model of Windows is a lot better (and has been ever since their consumer offering moved over to the NT kernel). But, it's also true that the differences are mostly irrelevant to attackers today. It may be harder to get administrative access on an OS X box than a Windows box. But, if there are gullible users in front of the computer, or if there are software flaws to exploit, it hardly matters. If the bad guy can run their own code on your computer through one of those two methods, then the bad guys are where they want to be. They don't really NEED administrative access. Neither OS has a strong advantage in terms of keeping away exploits, nor does either help keep gullible users from infecting themselves.
I think what's most important is that Apple seems to take things seriously and get patches out in a timely manner when things go public (the vast majority of malware that takes advantage of security holes in software take advantage of publicly disclosed information).
I'd say on the whole, neither OS has an inherent technical advantage. There are pluses and minuses in each column, but no clear winner.
At the same time, it's true that, from what I've seen, there are only about half a dozen truly unique pieces of malware out there (including the Leap Worm, the RSPlug Trojan and the OSX_LAMZEV backdoor). No matter how many vulnerabilities there have been in the OS, almost none of them have been leveraged by real malware. It's clear that it's far less risky (at the moment) to be a OS X user than a Windows user, even though OS X users probably aren't running AV, and even though Microsoft has spent billions improving the security of their offerings.
What gives??!! Why don't bad guys seem to be too interested in OS X? This seems like the really interesting question. It seems like OS X should be a huge target, since the market share is now so high-- according to a recent article, over 20% of new machines sold in the US are Macs (though Gartner claims their market share is 6%... there doesn't seem to be any good consensus). No matter who is right on the market share issue, I'll hazard a guess and say that about 7-10% of computers actually in use at any given moment are Apples (at least in the US). Even if it's only 3%, that seems like a huge base of PCs that should be an appealing target to bad guys looking to build a legion of infected hosts to use in spam campaigns, delivering ads and so on. Particularly considering that most people running Macs don't run AV (and that includes me!)
If you look at reported sales figures, Apple sold about 6M laptops, and 4M desktops in 2007. Also, I'd venture to guess that most Mac owners are something like me. They have a laptop as their primary machine, but they still have a desktop or two sitting around, maybe to have the bigger drive for all their photos, music and movies, or as a dedicated media editing workstation. But they don't really install a lot of software from the net on those machines, or spend too much time browsing the web. I've got two Apple desktops that are almost exclusively media PCs (when kids are around, they occasionally end up browsing to sites like disney.com or webkinz.com while supervised). And I've got a couple that are test machines, and usually turned off. When I was working for McAfee, I had a really nice desktop, but I only used it for stuff inside the VPN.
Those desktops typically aren't doing anything too risky, because they are secondary machines for most people. It's the laptops that we use to surf the shady side of the internet. The laptops are the bulk of the macs that get day-to-day internet use (I'd guess north of 80%).
If I were a bad guy, I'd be far less interested on "owning" a machine that changes location a lot and is frequently closed. It's a lot harder to count on those resources, contact them and leverage them. Since there are so few desktops in use, I'd posit that Apple has much smaller market share in terms of machines that are useful to attackers.
Now, I'm sure Windows laptop usage is similar to Apple usage. People who own a Windows laptop are probably a lot less likely to use their desktops. But, there are lots more Windows desktops out there already, and there are plenty of people who only have a Windows desktop. Those people who aren't too computer savvy and don't have a laptop, but still heavily use the Internet are the most likely to fall prey to social engineering attacks.
Plus, it costs more to produce malware for OS X, because the tools aren't available that lower the cost. I have not yet seen something akin to the Pinch malware creation tool for OS X. Therefore, if you're a bad guy, you need to come up with Apple development skills, whereas before you didn't need to have any particular skills at all.
Eventually Apples might be the lowest hanging fruit, but there seem to be plenty of Windows PCs that are still ready to be owned. And for most people it is far less costly to own those PCs. Therefore, simple malware economics is doing a good job of protecting Mac users... no AV necessary. But, Apple has just started recommending AV, and I think for non-technical users in particular, that's always a good idea.
But when the day comes and there are lots of real threats out there for OS X coming out on a frequent basis, that's when it will be important for everybody to have some malware protection on their Macs. Until then, it's one less thing I have to buy!