There are some best practices used by major distributions, for example:
- mandatory access control (SELinux, for example),
- firewall by default,
- policykit fine-grained privilege control,
- buffer overflow protection,
- restricted kernel memory access to stop many rootkits,
- higher level hashing for passwords
However, the weakest link is always system administration, and any OS can fall victim to human error.