Exactly, that's one of the main things that makes an OS insecure, or more precisely:
- the ability to easily tamper with software while there being no sign that such software has been tampered with
- the fact that OSes like Windows or Linux know nothing of the concept of an app (it's just a bunch of files the installer barfs onto your system which can include anything and be written anywhere.
- etc
The ability to install anything is just the final step that breaks the security camel's back, due to all the other security flaws (or complete lack of security concepts in those areas) that exist along side it.
And yes, Windows is the least secure OS for precisely this reason (not because it's most often targeted). This is in fact
exactly the reason the modern Windows run time environment exists in the first place. It exists primarily because it was impossible for MS to change Win32 into a more secure system (which is better at protecting users from themselves) without severely compromising compatibility, which is why we got the "tacked on" WinRT rather than an evolved and more secure Win32!
Windows was originally designed for technically minded people. Anybody who used such a system was a professional and knew one or two things about the tech they were using. That's completely different today.
It's true that an OS can't foresee and deal with every form of user stupidity. Users will always have to carry some of that responsibility for the reasons you mentioned. However, a modern consumer OS must strive to make it as easy as possible to be used securely and as difficult as possible to be used insecurely. Neither Windows or Linux fit that description. Those systems are better suited to being used in any which way a user desires, which may or not be secure. Those systems make users responsible for a lot more than is technically necessary, and very few consumers are competent enough to make secure choices.
That is very much in contrast to iOS or the modern Windows run-time environment. Android is somewhere in between.
I completely disagree with this. It's probably only true in non-technical consumer oriented discussions, likely because such exploits are scarier and far more spectacular, but they account for less than 1% of all successful security breaches. In professional circles the main topics discussed are exactly the opposite. A Windows admin spends a big part of their education studying how to lock down a Windows client with the goal of making it less maintenance intensive and more secure, almost all of which is focused on preventing users from doing things they shouldn't!
When it comes to resisting remote hacks, almost all OSes are rather secure these days (with OSX occasionally offering an exception).
The larger and far more important aspect of security, because that is what is exploited 99% of the time, is how easy it is for users to screw up (out of stupidity, ignorance, or whatever reason). In that regard the various consumer OSes are very different.
We agree on most things here, but I don't think it's correct to suggest that side loading (not by itself, but along all the other security failures that factor in to that scenario) isn't part of the security puzzle. Those things can't be ignored. Any judgement of OS security must encompass all aspects of security, including those that stem from user stupidity, many of which are easily avoidable given a more cleverly designed OS. Apple's iOS and MS modern Windows run-time have attempted to do exactly that. It's in fact a large part of Apple's success and their no-hassle, no-fuss, it-just-works image.