A Linux distribution is made up of various components written by lots of different projects. Those projects, in turn, are comprised of lots of individuals who contribute code in a loose manner. Microsoft Windows is also made up of various different components, written by several different departments ("projects", if you will) within Microsoft. These projects, in turn, are also comprised of several different people.
If you can blame "Microsoft" for the Conficker worm, then who do you blame when it comes to a Linux distribution?
Say we have a monumental security flaw in X.org that can lead to remote code execution. Almost every distribution packages X.org, but obviously, only a few will actually ship with the hole before it gets discovered. Still, this raises the question: if Microsoft is responsible for Conficker, who are you going to hold responsible for the hypothetical hole here in X.org?
Your Linux distributor, who apparently failed to do proper QA to find the the hole? Or will your distributor point to the X.org project? Are they responsible? What if they point to the person who contributed the code, whose name is most likely clearly visible since everything is open?
It really is an interesting question, and in the unlikely scenario that a Conficker-like worm ever made its rounds across Linux machines, I can see a lot of blame being thrown around on mailing lists.