In his blog, Gartner analyst Neil MacDonald asks the question, "Is .NET More Secure Than Java?". CA Veracode provided data to help answer this question from our "State of Software Security Report" which contains the static analysis results from 1591 Java, .NET and C/C++ applications. .NET comes out slightly ahead.
...the vulnerability density (average flaws per MB of code scanned) for .NET was 27.2 and for Java the overall density was 30.0.
The question of which platform helps create a more secure application has been debated vigorously for many years. Back in 2003, with Andy Jaquith and other consultants at @stake, I performed a comparison of the security of the .NET vs. J2EE platforms. Our overall results had .NET coming out slightly ahead of J2EE mostly due to better developer defaults and better security guidance for developers. This may be the reason .NET is coming out slightly ahead in this analysis of hundreds of real-world applications.