Vulnerable to Viruses and Malware I mean. Vulnerabilities are inconsequential in the short term if nobody's exploiting them. Just look at Stuxnet - even the US government is exploiting Windows vulnerabilities.
Inconsequential? Nobody exploiting them? Seriously? Tell that to anyone who got screwed by one of the myriad of loopholes and misconfigurations in Apache, PHP, OpenSSL and any other number of *Nix software. You can't swing a dead virtual penguin without bumping a browser window with a story about some server getting hacked. Costs quite a bit of money, time and bad customer relations. And please don't try and pass off Linux as being 100% flaw free; Secunia and other security lists will tell you otherwise. They had their fair share too... some go for quite a good deal of time before being spotted too.
1. How users get their software.
You see quite a few articles and such that tell users to add various repositories to their sources.list, download and dpkg this .deb, extract and run the script in this tarball, etc etc.. the walled garden thing doesn't hold up, especially when somebody wants to stay current with a distro that's perpetually out of date. Just need to trick that user into running something they shouldn't and that Linux security has been rendered pointless.
2. Permission system. Specifically, how programs get executable permissions. Windows Autorun is an example of a popular infection vector.
True with the legacy OS's. Current versions ask first before doing anything. If they still run it, well that's on them.
3. The variety of Linux distributions, their configurations, and the software which they contain are the bane of malware writers. They do best in homogeneous environments with predictable file locations and installed software, and slow update cycles.
Not sure how this is a benefit... /usr/lib versus Windows/System32? Both are a bit predictable..
1. For years Windows had very lax security, which encouraged a vast malware ecosystem. Critical mass was reached long ago. The hacking tools, code, and expertise has all developed around Windows. That's not something you can transfer overnight.
No arguments there. XP made quite a few mistakes when it came to security. Whoever thought giving users admin access by default was a good idea should be shot.
2. The Win32 API is very hacker/malware writer friendly.
Erm any API can be hacker/malware friendly. Shoot probably easier in Linux thanks to the myriad of tools at your disposal that's typically already installed.
3. There's no central repository to get your software from (yet), which inevitably leads to the practise and habit of downloading and running random programs from the internet. This behaviour increases the risks of infection with malware.
Agreed to a point, as it's not 100% solid in Linux either, see above about working with external repositories.
There are many examples in Windows' history. And yet, not a single Virus has successfully spread on GNU/Linux.
And again, it's because the malware writers just don't care. 99% of the time, malware is oriented around money. Stealing passwords, sending you advertisements, encryption/ransomware, ripping off your virtual crap in World of Warcraft, things like that. Who's going to spend the time and trouble to write up a bit of malware and think to themselves, "Gee this is great, now how can I release it to the smallest amount of users possible?" Or to be a bit melodramatic, Linux presents quite the perfect delivery mechanism.. the central repository. All it takes is just takes one good hack or a cheesed off coder. Worked great by accident, would be quite devastating if intentional. Bumblebee proved how well that could work. The software worked great until you uninstalled it. Then it literally nuked your entire /usr directory, rendering the system unusable. Oopsie.
You could try and write some bad code for Linux, but how would you deliver it? How/where would it install itself? How would it run/spread? Then you start to realise, GNU/Linux is an extremely heterogeneous environment - again, the bane of virus/malware writers.
Again, user stupidity. Attachments, tricks, misdirection.. how a majority of this stuff starts.
It's all well and good pointing out buffer overflow exploits, but if nobody's using them, they don't pose a real security risk in the short term. All of the exploits are targeting Windows, the reasoning of which is unimportant, there is only the reality of the situation.
Again, that's where the money is, on the desktop side of things. OSX used to be able to claim similar, but as their market share is growing, so is their number of malware cases. Or, look at Android, it's quite popular, and "malware cesspool" has been thrown around quite a bit. The reasoning is only unimportant if you're wanting to dodge the issue, namely they're going where the money is, and the Linux desktop isn't it, not that it's magically immune from malware.