Bear in mind as well that security is what you make it. Neither Linux nor Windows are secure by default. Both can be made pretty secure if the effort is put in to harden and patch them.
Personally, I think this is more important than how many days it takes this vendor or that vendor to produce a patch.
How many attacks (e.g. worms, viruses, crackers) an OS attracts is important too (Windows leads on the first two, maybe not on the third, but all that could change over time).
One factor you should consider is whether it will be easier for your Solaris admin people to learn Linux security rather than Windows security. I would think that it would be.