Which, you know, have holes in them.
Do you have a source for your numbers? I'd bet that the attack general vectors for Linux desktops are similar to Windows. Browser? Check. Email? Check. Users? Check. Bad administration? Check.
With a properly setup Windows system you can avoid a lot of the issues people see today (bad defaults).
I'd put money on the general attack vector on linux being focused at servers and not at desktop users. There are not enough desktop users to even bother (See the mac argument). However there are tons of linux servers out there that are misconfigured and ripe for the taking. This means tricking the user who configured the server and not exploiting a flaw in say libc.
For example, lets say I configured apache to run as root, and have a php script that is written poorly and allows code injection. I use this to take over your website and put my own malware up for windows users to download. This is not a flaw in apache, linux, mysql, etc. It's a flaw in the user not knowing how to properly configure those systems. Just like a windows user running as admin and executing every single exe that shows up in their mailbox.
This is different then say a exploit in the image rendering in IE. That allows you to trick the system into executing code, that is a flaw in the OS. While I am sure there are flaws of that nature in linux, they would not be the wise attack vector for most malware creators. There simply is no useful market. I have tried very hard for about 5 minutes to find a list of known linux malware. Beyond
http://en.wikipedia.org/wiki/Linux_malware I have come up short. Try that with windows.
That said, finding a restricted user exploit could be used to trick that user into giving up privileged information to access root. An example would be writing a piece of malware that pretends to be software the user already uses and prompting for the root password to perform an application update. Or creating a script that gets aliased to be called instead of sudo that pretends to do sudo and tells you your password was incorrect, then it stores the password for the real malware, deletes itself and and calls the real command you attempted to run. A less astute user could be fooled.
But that is no reason to run as root. Running as a restricted user greatly improves security, and it imposes almost 0 roadblocks to productivity (unlike say trying to be a limited user on XP which can cause problems with software that assumed you would always be admin). It also protects you from yourself.
Example:
I am root. I want to delete every file in the folder /home/me/mp3s. For some reason I type: rm -rf * and suddenly I realize I forgot to change into that directory. If I was root, I no longer have a working operating system. I hope you have backups. If I was a normal user I would start getting permission errors right away. Linux assumes that root ALWAYS knows what it is doing. There is no idiot button.