The situation you describe isn't anything I've ever witnessed (ever). I'd have to see what the SANS institute did in their "study" to come up with those figures, because they don't even come close to mirroring reality. I have a feeling it was something like actively attack the computer with a method that was known to be successful with a computer that wasn't patched. 174 minutes sounds like a brute force attack on a basic password. If FTP is on you can quite easily brute force the password due to how FTP works, but any operating system is vulnerable to that same attack.
<br>
<br>Interestingly enough the securing mechanism for IIS are eerily similiar to the ones for Apache/etc. IE, keep it patched and don't write stupidly vulnerable software that does stuff like directly read fields into database queries and such. Likewise, don't give the account executing when users visit admin rights, etc. Common sense stuff really. One of my co-workers who came from the NSA said the major difference between XP/FreeBSD in terms of security was the ability to spoof the IP table, which is fixed in Vista. Certain applications like Firefox & IE are vulnerable to attacks where the 3rd party libraries they use to render JPEG's and such are poorly written. All in all though, assuming a patched system, the biggest contributor to insecurity is the person using the computer.