I am not so sure about that.
We run 3 sites for our company websites. 2 are Apache, one is IIS.
During the past year I have had to clean up hacks and/or exploits on the Apache ones 4 times. I have yet to have any problems with IIS.
And yes, I know it is true that a lot of the hacks sneak in through other programs, such as PHPbb flaws, but the fact remains that I have yet to have a problem with our IIS server.