A virus that finds its way into a Linux system might also be able to do a local exploit and elevate itself with root privileges.
Definitely. Rootkits are real issues in unix systems. The fact that systems may be compromised due to design fault are very real too. For such cases, SELinux, Apparmor, Grsecurity and probably some other such MAC policies options will help to circumvent these issues.
Unfortunately these options are normally only really effective with System Administrators, or Developers that are well aware of the environment they are operating in. Even skillful administrators do find such tools a hassle when introducing new variables into the system.
For consumers, the options are rather limited to firewalls, sandbox concepts and so forth.
One thing we must agree is security and ease of use is normally contradicting. You want your system to be secure, you harden it but it makes working with it more troublesome. You want ease, you lack on security and you make chance for vulnerability.
I have always advocated that "Security is not a tool. Security is a practice". The weakness link in all security is normally the human factor. Give the human a set of SOP to follow all the time and still leakage are possible, mainly sometimes we just tend to overlook either deliberately or unintentionally.
In fact, there are also products such as IBM QRadar and Guardium and more that helps to find out exactly which applications are misbehaving, accessing systems or data that are not meant to be. Audit logs of all actions can be logged and later analysed for unusual pattern and then alert administrators for action.
All operating systems have option for hardening, so it depends on how aggressive one want the system to be. While it seems contradictory, in my opinion, security is much easier to implement in Enterprises than in the Consumer space. Reason is Enterprises normally don't anyhow install software, they are also normally tested for security and functionality before actual deployment into the production system. These systems normally are placed in more secure environment, behind firewalls, scrutinised network environment, limited access to this system physically, and may contain Intrusion Detection Systems(IDS) that are monitoring unusual traffic in and out of systems.
During projects, these systems also have to submit firewall rules that clearly state the source and destination, narrowing down to a stringent list, have to indicate their usages. Some services instead of using public servers such as mail servers, ntp servers, dns servers and so forth are using hardened service internal to the environment and hence inherently more secure.
Therefore, the notion of security is a holistic perspective, not just a matter of which operating system to use. The privilege level of the user account can only prevent so much, it's up to an assorted list of practices that goes with the environment that ultimately provide the security that is expected.