At the time when people started saying that, this kind of attack was a lot easier on Windows, because by design installing arbitrary code off the Net was a single click away and the attacker had a huge amount of control over the contents of the request. Since then, Microsoft has improved but Apple has somewhat repeated Microsoft's old mistakes.