No matter whether they’re written by some kid with too much time on his hands, the Mafia, or international terrorists, virii are just software. Sneaky, malicious software, but software nonetheless. They have to use whatever mechanisms the operating system provides to transmit, install, and run themselves.
Windows (and MS-DOS) was originally designed for standalone, non-networked, PCs. For those computers, the only way software could get onto a system was if the user put it there. Many users consider it rude if the operating system gets in the way, so Windows got out of the way and let the user do pretty much whatever he wanted. However misguided that might be. When the new networked world full of bad actors dawned, Windows was woefully unprepared and has basically been closing holes ever since.
Unix, in contrast, was designed from the very beginning for networked, multiuser environments. In those environments, you can’t assume that the user knows what he is doing, and even if he does, you still can’t just allow him to blunder through everyone else’s data. Unix computers were also among the first to be subject to cracker attacks, for the simple reason that for a long time they were the only computers that had both network connections and information worth stealing. Thus, Unix systems draw a sharp distinction between user-level privileges and admin-level privileges. Most tasks run with user privileges, which among other things keep the task from poking its little electronic nose where it doesn’t belong. I’ll spare you the detailed technical explanation, but most unpleasant virus behavior requires admin privileges, and under Unix (or OS X) it’s difficult for a task to get admin privileges unless a human user explicitly gives them to it.
That’s where social engineering comes in, and social engineering attacks will work on ANY computer. If a piece of software can deceive the human user, it can get permission to do whatever the human himself can do. That’s why on really secure systems, only a few humans have admin-level access. Joe the clueless accounting temp can’t give away data that he doesn’t have.
Anyway, the biggest difference between Unix (and OS X, which is Unix underneath) and Windows (pre-Vista) is that admin access is not automatic, for either humans or software. It requires not only confirmation (click a dialog box), but authentication (enter a password). That’s a much higher barrier for malicious code.
No, that does not mean that OS X is an impenetrable security fortress. But it does mean that the number of ways in is far more limited, and therefore the watchers, human or electronic, have much less to worry about. Even as the number of attackers increases – which it will, with growing market share – that structural advantage will remain. And of course the Mac-focused security resources will also increase as market share grows.
(Windows Vista bragged about improved security. I don’t know enough to comment on that.)