X.org is such a big problem because it's based on the X11 architecture, which originated 30 years ago. Thankfully, new graphical server technologies like Wayland and Ubuntu's Mir are about to take X.org's place.
Shellshock was terrifying for Linux desktop (and server) users
Remember Shellshock, a bug in the Bash shell used on Linux and other Unix-like systems? The advice from security experts at the time was that it didn't affect desktop users. Windows PCs didn't have Bash. Macs did, but it was only used by advanced users who went looking for it.
The situation was different on Linux desktops and servers, where Bash is used constantly. Terrifyingly, every DHCP request your computer makes was run through Bash. So, if you visited a compromised public Wi-Fi hotspot on your Linux laptop and connected to it, the DHCP server could give a response that would force your Linux system to run an arbitrary command--possibly downloading some sort of Trojan. Here's an easy proof-of-concept attack.
Security updates quickly neutered the threat for desktop Linux users, but the Shellshock vulnerability was present in Bash for 20 years. Sure, we don't have any indications of widespread attacks against Linux desktop users, but that's not the point. The point is that Linux desktop systems were wide open. When Linux users gloat about how much more secure our systems are than those Windows desktops, we might want to remember how Shellshock affected us.
Are you even getting security patches?
Thanks to the way Linux packaging and software repositories work, you may not even be getting the security patches developers release. Sure, you'll generally get them for your web browser and other important pieces of software that are considered "officially supported," but what about the other packages the community is responsible for?
There are lessons to be learned from the ownCloud packaging mess in Ubuntu. This piece of server software wasn't getting updates in Ubuntu. The community member who originally packaged it just decided to move on, leaving the ownCloud package orphaned and vulnerable.
And that's just with Ubuntu. Be careful if you're using one of the smaller, niche Linux distributions. The Arch Linux-based "Manjaro" distribution hasn't been receiving timely security updates like it should. This is understandable if you're using a small distribution and the developers are working on it as a hobby, but it's something to watch out for... and a risk to actual users.
Linux system security is a broken, but so is everything else
So your Linux system isn't as secure as you thought it was. Well, that's not really an attack against Linux in particular. All computer security is pretty bad. As Quinn Norton titled her excellent rant on the subject, "Everything is Broken." Yes, even Linux, and--more importantly--all the software programs you have to put on top of Linux to get a functioning system.
Sign up for Computerworld eNewsletters.