The predecessor anti-virus to Windows Defender was originally meant to be released in-box with Windows XP. Due to pressure from both the US and the EU (themselves pressured by massive lobbying by Mcafee and Symantec/Norton) Microsoft was not allowed to ship the anti-virus with XP and had to release it separately on a web page as an "optional" download. This gave the anti-virus vendors an additional "free decade" (just about exactly) of being able to advertise that Windows was insecure by default and pretend like this was Microsoft incompetence.
Today a lot of average users (and as CrowdStrike has indicated, many large enterprises) still believe that Windows doesn't have built-in anti-virus because of "Microsoft incompetence" despite Defender having been bundled with Windows since Vista (2007).
Microsoft has spent decades removing security holes but doesn't get even half the credit for it because it still has to deal with an open Kernel because people want to pay for security blanket "products" like CrowdStrike's and Symantec/Norton's bloatware. That's in part because the US DOJ and the EU in trying to do the "right thing" for anti-trust reasons did the exact "wrong thing" for consumer protection reasons and left all these shady vendors with too much "everyone knows Windows has no anti-virus out of the box" PR based on Microsoft forced to remove it from Windows XP to an "optional download" and that still being the benchmark version of Windows in many minds.
Microsoft made a market for these snake oil products because of their incompetente to make a secure operating system. Not because of governments. Things such as Defender wouldn't even be necessary (well they are still not necessary today, but people believe they are and you can't disable Defender anyways).
Linux still has AV scanners. MacOS still has AV scanners, the most common ones are just built-in and unbranded.
Everyone needs Ransomware scanners. Some Linux users and MacOS users rely on security through obscurity, which isn't actual security.
Even with the most rock solid and secure kernel, as long as software is allowed to run in userspace you need to detect when the user accidentally ran software they didn't intend to and/or that is trashing that user's space. You can't just delete a bad userspace, people store their files and increasingly their whole lives there.
You likely will never agree with me on this, but from what I've seen the NT Kernel is one of the most secure kernels on the planet in active mainstream usage. It doesn't have that reputation because the NT Kernel also paradoxically has to be the most open to plugins and third party drivers. People blame the NT Kernel for things the plugins and third party drivers get wrong. Every time Microsoft closes plugin APIs and moves drivers to userspace: companies and users get angry even as the overall security goes up. (That was the real "Vista problem": it moved too many drivers to userspace at once and hurt a lot of third party feelings and seemed to break a lot of hardware for a bit while things caught up.)
But you also don't really care how secure the kernel is because you don't live in kernel space, you live in userspace. You and everybody else also want to be able to run whatever software you want in userspace because you should be in control. (Yes, it's good to have control of your own userspace, that's a lovely freedom.) So Windows doesn't have a working central App Store today and users can still install software from anywhere they find it. That's considered a useful freedom. Things like Defender (ClamAV) and UAC (sudo) and more are still desirable tools that need to exist to protect userspace. (Tron fights for the users!) That's not a failing of OS security, that's a tool to protect user freedom. We know for a fact from mobile OSes that the alternative is locked down app stores, locked down file systems, and a lot less freedom in your userspace. Those are trade-offs we make every day now in which devices we prefer to which tasks. Neither is necessarily the best solution and it is nice being able to pick between systems with more user freedom for some tasks and systems with less for other tasks.
I don't expect you to agree with me and this discussion is close to arguing in circles at this point, but I still believe the reputation of Microsoft's "incompetence" is sorely over-exaggerated, in part by third parties that have always benefited from the platform's openness and predilection towards user freedoms over kernel lockdowns (and also some governmental oversight decisions that claimed to be for user freedom but mostly just lined the pockets of third parties while moving userspace security features out of the normal install for too long).
Microsofts products aren't full of security holes. If you have an 0day on fully patched Windows that is worth a pretty penny, which implies they aren't they easy to come by.
They aren't worth quite as a much as an iOS 0day but they are by no means cheap.
Of course if you think otherwise you can be making 7 figures per bug (assuming you are OK selling to brokers for the 3 letter agencies) so go dig some up?
>Microsofts products aren't full of security holes
They are though, just look at Exchange[1] and what problems Microsoft itself has.[2] There is no such thing as a "secure Microsoft product". Microsoft is single-handedly responsible for making the IT world worse because they do not care and have a monopoly.
>If you have an 0day on fully patched Windows that is worth a pretty penny, which implies they aren't they easy to come by.
It's what the market pays for it, not what it's actually worth as you have already pointed out. Three-letter agencies buy these 0-days themselves for a big sum and support the black market so the prices go even higher because they have infinite money.
Today a lot of average users (and as CrowdStrike has indicated, many large enterprises) still believe that Windows doesn't have built-in anti-virus because of "Microsoft incompetence" despite Defender having been bundled with Windows since Vista (2007).
Microsoft has spent decades removing security holes but doesn't get even half the credit for it because it still has to deal with an open Kernel because people want to pay for security blanket "products" like CrowdStrike's and Symantec/Norton's bloatware. That's in part because the US DOJ and the EU in trying to do the "right thing" for anti-trust reasons did the exact "wrong thing" for consumer protection reasons and left all these shady vendors with too much "everyone knows Windows has no anti-virus out of the box" PR based on Microsoft forced to remove it from Windows XP to an "optional download" and that still being the benchmark version of Windows in many minds.