Check out this article/report by OmniNerd, which tested various operating systems for security. They performed a base line vulnerability scan during installation, after installation and after patches had been applied. Each installation was done to mimick as close to a ‘default install’ by clicking ‘next’ when possible. While one can argue various points of this test, they did a good job defining the operating system, configuration and resulting open ports, along with corresponding vulnerabilities. The only questions that immediately come to mind are if the Solaris install included Update 3 and why they didn’t have any charts or graphs summarizing the information.
This is hands down one of the most fair and unbiased tests I have seen in a while, based on the information in the article.