In 2008, the security argument tilts strongly in favor of Microsoft on this one. 37signals hasn't paid millions of dollars to have 10 different security research firms review the code and write penetration test cases and fuzzers. Microsoft started on IIS back in 2003.

I wouldn't use security as a deciding factor (we're a Rails shop), but if I did, I'd be writing C# now.