[secstate]

That's a really complete argument. But there's still the elephant in the room of the whole operation being closed source, and the inability to do quantitative analysis into the improving security of a closed source system.

People on the inside can say there have been qualitative improvements, but that's not measurable on the outside and so is no better than hearsay and conjecture. Meanwhile in the GNU/Linux world, you can browse the git repositories and see and audit every step in the development process if needed.

Is it possible that typical open source projects didn't NEED to improve their security over the same timeframe, given that the F/OSS world didn't fuck users over for two decades with unfixed 0days?

Meanwhile, the OP here is talking about Word which is likely a world away from the improving security team working on Windows. Hell, I'm surprised they've got more than a skeleton crew working on the desktop version of Word anymore. People in my community 60+ have been using Google Docs for the last five years already.