The correct answer is, I think, neither. Look, the Mac OS has always had holes. It always will. To think otherwise, no matter what the legions of the MacMacs out there fervently wish, is to literally deny reality.
Windows Vista and XP also have holes. Solaris has holes. Even my dear, fondly remembered OS/400 has holes. We are talking about complex software designed by inherently, and sometimes actively imperfect beings. There are always going to be holes, a k a mistakes. No matter how smart the designers of Mac OS X are, (and having met quite a few of them, they're astoundingly smart, all of them), they're only human.
They also aren't the only smart people on the planet. As a good friend of mine, Andy Ihnatko once said, rather sagely (complete with appropriate sagely demeanor), "No matter how smart or evil I may be, there is always someone out there who is smarter and more evil than I am."
Mac and PC Installation Hell: Just Say No
Top 10 Mac Productivity Enhancements
iPhone and Steve Ballmer
Using Vista and Linux on a Mac, Part One
As vulnerabilities go, this one was both quite real, and not as bad as it could have been. It affected a critical framework in Mac OS X, and a rather common install in Windows (QuickTime), and until it was patched, your only real safe bet was to disable Java in your browsers. It could, and did, allow a web site to open a hole into at least your home directory, and potentially worse.
To those who were, and maybe still are, trying to shout this down as "not a real problem," I say to them, "get a clue." Any hole that allows a random web page to open up your machine is bad. Period. Especially since this kind of attack vector makes hay of things like anti-virus and most firewalls. You created the connection, you "executed" the code. Had someone started exploiting this in a bad way, the fact that it wasn't a "real" problem would not be comforting to those damaged by it.
However, this vulnerability does not suddenly make the Mac OS no more secure than a tissue house in a hurricane. It had a reliable workaround (disable Java), that while causing some pain, did not require you to ignore the Internet until a patch was found. Exploiting the vulnerability meant you had to get people to execute the code on a web site. The law of averages makes this rather quite hard to do on the Internet, especially with an eleven-day window between discovery and patching.
This was not a "Witty"-level problem, wherein malware on another machine could reach out and infect your system, then crash it without you ever knowing about it. (For information on Witty, a particularly nasty bit of malware, read here.) You had to go to a location with the attack code to be hit by it. This is hardly a harbinger of doom.