The same way any other crap (such as Windows, Java, PHP, NodeJS, Docker - you name it) wins - its winning is due to a "catchy meme" about it, which triggers an automatic, ignorant snap-judgement of an unsophisticated consumer.
Look, with Java you don't have to think about hardware and OS - a greatest meme ever (and you have to pay for tons of hardware because Java = waste). NodeJS - you could code server-side apps the very same way you write stupid web-pages (without any deep knowledge) - great meme. With Docker no sysadmins are required, and an underlying operating system is just viewed an abstract "container" for an app (they you will pay to "experts" who would spend weeks analyzing why your crap is so slow and unpredictable in production). With systemd you don't have to understand the subtleties, and it is run with Docker. Yay!
Do you apply updates? If so, have you ever seen how it breaks functionality of legacy code? Never seen problems with third party tools like Delphi or Java? Never seen Trojan or a virus?
Yes we apply updates after testing them. MS11-100 was the only breaking change we've had in 10 years and we picked that up in test no problems at all and knew about it as we read about it before applying the patch in the KB article that accompanied it. Did you know Ubuntu LTS releases shipped buggy and broken MySQL versions multiple times? We caught them in testing. Canonical haven't fixed MySQL in 10.04LTS yet.
No problems with Java, ever in 10 years. We don't use Delphi. Did you know that Debian broke the entire SSH key generation infrastructure for a bit leading to insecure key generation. We regenerate our own keys up front anyway.
Never seen a Trojan or virus because we have proper mitigation at the edge of our network and on critical machines and everything is locked down properly. Did you know about SSH worms -- you know the things that hammer the crap out of every node with SSH on it for the last 5-6 years? We mitigate at the edge (authenticating firewall).
If your opinion of windows is based on such things, you're approaching the problems wrong.
I never seen any statistics about bootnets hosted on rooted Debians. I also remember that in Metasploit framework the number of exploits targeting windows is incomparable larger than Linux related. The last time I made a firewall it was OpenBSD/spark64 based, and I think it is still in production. I never used Debian or Ubuntu as a server. There are Centos or RHEL for that, and I am capable to recompile and repackage any tool I needed.
Sorry, I cannot understand most of mentioned difficulties.
Likewise I don't understand your POV -- in fact I think you're spouting rubbish much as most advocates seem to. I've been dealing with Windows, Linux and BSD systems for 20 years and there's really not much in it between them.
The bad rep Windows gets is from idiot users clicking Ok. If we had user friendly OpenBSD desktops with idiots pushing the buttons we'd have the same statistic with a different OS.
The brand doesn't matter - the fundamental problems are the same.
Let's say that I am very sceptical about any proprietary bloatware pushed by big money and developed by outsourcers on a payroll. I also do not believe in the myth that these corporations employ more talent that is behind some selected open source projects and startups. In Russia where traditionally IT is heavily dominated by Windows and now Java and SAP, I have seen enough, and it is what biased my POV.)
Forget the words bloatware, outsourcers and money for a minute...
Surprisingly it's rarely the core products of the companies that are problematic. It's usually the army of consultants and cash backhanders (the enterprise lot) who come wading in to pillage everyone. That's where the bad rep comes from. They build half-arsed products on top of these platforms which everyone comes to hate.
Regarding open-source talent; much as it is anywhere else, it's hard to come by. In fact a lot of the open source software out there is considerably worse than the closed source stuff that I've seen over the years. There are a few gems here and there for example the FreeBSD operating system, LLVM, valgrind, postfix, postgresql etc but the vast majority is total half-baked shit. I include a big chunk of GNU in that as well which is shameful.
The vast majority of commercial software is total shit too.
Regardless of that, the core of Windows and even Java (but not SAP - I've had my fair share of integration there) are good products. Just don't go and grab piles of enterprise integration junk on top and it's fine.
That, IMHO, is where all the pain comes from and why people have such hatred.
Hatred is infectious as well. It takes experience to distinguish justified hatred and rumors.
Look, with Java you don't have to think about hardware and OS - a greatest meme ever (and you have to pay for tons of hardware because Java = waste). NodeJS - you could code server-side apps the very same way you write stupid web-pages (without any deep knowledge) - great meme. With Docker no sysadmins are required, and an underlying operating system is just viewed an abstract "container" for an app (they you will pay to "experts" who would spend weeks analyzing why your crap is so slow and unpredictable in production). With systemd you don't have to understand the subtleties, and it is run with Docker. Yay!
The list could be too long.