Some snipptes from your writing...
I think this *could* be a good thread. But only if it is kept within boundaries. Everyone should remember that balancing functionality with security is the challenge. How much functionality that is necessary depends on your needs. Advice like "not offer servers to the Internet" does nothing to help the system with a web server requirement. Not using "ActiveX, Scripting, Internet Explorer or Outlook Express" does nothing to help the person that is required to use them.
Bottom line, eliminating functionality is not a security measure. It is an avoidance. Avoidance can be taken to the extreme by using "airgap" technology (open air - not connected to the Internet). I would prefer that folks concentrate on security best practices rather than using this thread to champion their personal causes like Linix, Unix and Anti-MS jabber.
I attended a vendor specific Spyware seminar yesterday. One of the points the speaker made was this. Popularity + standardization = vulnerability. He cited an example that occurred in Japan a while back called the "911 virus" on Cell Phones. Japan was standardized on Cell Phones. Almost every Cell Phone in Japan works the same. That allowed a virus writer to write a virus that quickly propagated to all Cell Phones quickly (using the social engineering methods and text messaging) and due to constant automated calls to Japan's 911 emergency number, it was virtually shut down for a number of days before this could be corrected. The speaker pointed out that this could never happen in America to such an extent because there is not enough compatibility and standardization amongst the Cell Phone manufacturer's equipment and the Cell phone users handsets. True.
The above is a good example to point out that the real challenge is adding security ON TOP OF functionality. Not, reducing functionality to gain security. Again, everyone needs to establish their own comfort level with functionality verses security, depending on their own system's risk tolerance, their own needs, their own administrative capabilities, and the potential impact that a compromised system would have. Solutions won't be the same for everyone. That's why these things are called "best practices", depending on your needs.
Just my thoughts...