The computing industry has got so used to criticising windows for being insecure that it's got complacent. Anything that opens content from an untrusted source -which means any email, any URL- is vulnerable and has to be kept secure. The big problem with Windows and OS/X is that neither platform has support for updating all your installed apps, keeping them secure.

Which is a problem given how ubiquitous PDF readers are in the enterprise. Sans has a good analysis up of a malware attack in a PDF for which Acrobat Reader does not have a patch for. The only way to secure it is to turn JavaScript off.

This raises a question. for me, the primary use of Acroread is to read PDF files. No scripting, no browser integration. So why does acroread have these features? It's feature creep for the benefit of Adobe "Let's make acrobat a platform! No need for HTML and web forms! We can do it all in PDF!". This benefit imposes a cost on all users, we have to keep our systems up to date, worry about every Windows VM, add something else to the weekly linux updates. And until such 0-day exploits are fixed, worry a lot.