In comp.security.misc Sebastian Gottschalk <seppi@seppig.de> wrote:
Dear lord, if you're going to make a claim that Linux takes more patches
than Windows, at least understand the nature of a Linux "patch". It is
not just a replacement for a single DLL or itty bitty binary. It is a
complete replacement of the affected application. The binary, the help
files, the included libraries, the config files, etc etc etc. This is
particularly true on a distribution that uses a dependancy based package
tool. This makes any "size" based comparison useless as the sizes of the
patches are completely different. That Linux distributions also distribute
third party applications and their associated patches also means that
there will be more MB of data included on a Linux distro's patch site
than Microsoft's, who only distribute their own patches for the most part.

Here's an illustration using Slackware Linux 10.2. There are 42 patches
for that version, totaling 276MB. However, only 14 of those (36MB) are
related to system critical applications, and that's being generous by
including X-Windows. The packages I included in the system critical set
were bash, bin, bzip, libxml, mod_ssl, openssh, openssl, sudo and x11-*.
If your criteria also includes KDE (mine doesn't since I have a perfectly
functional X-Windows system using neither KDE nor Gnome), that adds another
4 packages (79MB) for a total of 18 packages and 115MB. Everything else is
a third party application such as Apache, sendmail, MySQL, PHP, GIMP and
so on. You'll note no kernel patch in Slackware. That's because Slackware
uses the 2.4.x line still as it is more stable and less buggy. Slackware
also includes only a basic set of third party applications, whereas RedHat
has somewhat of a reputation for being bloated with applications.

So to summarize, you're comparing apples to oranges. It just doesn't work.
Nice try to spread a little FUD though.