Why is this important? One of the primary bones of contention for defending one product's security over another has been the claim that “If you are a bigger target you're more likely to get attacked”. Granted, that must be true, but in this particular case that argument fails. Worldwide, Apache is the majority HTTP server. According to Google, Apache makes up 66% of the web server market worldwide, with IIS only holding 23%. That means, despite being a minority player in the server market, IIS has an overwhelming (and alarming) percentage of infected servers.
Is this more a fault of vulnerable software? Or could this be a symptom of something else? In either case, it's very interesting.