Zone-H publishes every year stats of registered attacks.
According to those stats the most targeted operation systems are Linux, Windows 2003 and Windows 2000. The most defaced webservers are Apache, IIS/6.0 and IIS/5.0.
References:
about security, BSD, open source and programming.