Fresh from a recent debate on Apache versus IIS security, I bring you this summary. I am not in a position to directly compare IIS versus Apache. When I build an IIS server, I am fairly confident in its security. If I were to build an Apache server, I would have little confidence due to my inexperience. So much depends upon the admin’s skill set.
Quantitatively, Apache has more known vulnerabilities and attacks than IIS. IIS5 on Windows 2003 has 4 vulnerabilities. IIS6 on Windows 2008 has 1 published vulnerability. By contrast, Apache 2.0.x has 23 vulnerabilities.
The counter-argument to these statistics is this: most of the 23 vulnerabilities were in Apache modules. The attack surface drops significantly if you disable these modules. (And, of course, if you know how to disable the modules.)
Another counter-argument is that the web server depends upon the operating system. A determined attacker goes around your defenses rather than thru them. Thus I would suspect the security would turn more on the OS and the Web applications.