Microsoft, after taking some hits for their "insecure by default" configurations and applications, tightened things up greatly. It caused project time lines to be extended and delayed shipping on some releases. I think, though, we're glad Microsoft did.
The impression I get is that SQL Server is considered more secure than Oracle by most security experts. Thanks to Microsoft for keeping the surface area tight, and deprecating hackable features that have since been replaced with more evolved and secure options. Deprecation is a good thing in my opinion.
At one point a few years back, I was almost forced, due to circumstances within the organization, to become an Oracle DBA. In the process of reading and getting up to speed on Oracle 11g, I was baffled by all the tecno-trivia that had to be learned in order to maintain an database. The problem is that Oracle has to maintain backward compatibility to the 1980's in addition to cross-compatibility with multiple operating system platforms, so it has a lot more "junk in it's trunk".
Not only does Oracle have a lot more potential holes to exploit, but my impression is that the average Oracle DBA isn't as familiar with their own platform as the average SQL Server DBA, simply because they have so much more territory to cover. The SQL Server platform itself it smarter, so the DBA in this realm doesn't have to be an OS / command shell / networking expert just to perform their daily job.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho