Here is an article comparing Microsoft and Oracle’s security. The author of the report looks at patch count over the last 3 years and shows that Oracle has issued many more patches for security issues. While in the field configuration is equally important this does say something about how seriously the SQL Server team takes security. Kudos to them. The actual article is here.