Windows can be hardened as much as Linux and has less attack surface for supply chain attacks. At least, the latter holds when you believe Microsoft as company is overall more secure and less compromised than tens of thousands of open source contributors working from home.
In both Windows and Linux the amount of people contributing code are roughly within an order of magnitude equal. The difference is that with Linux we understand that every commit must be verified. We do not know to what extent Windows upholds that same standard.
QubesOS is so much better than a traditional OS but the separation is (at least in theory should be!) weaker than an air-gapped system as there is still a connection through software (and hardware) components.
But the air-gapped system turned out to be hacked because of the way USB devices are handled by the OS, something that can be very finely controlled in Linux. As for Windows, I didn't do any research, but either (1) it is controlled by Microsoft and you can't turn this automation off, (2) it can be done but the technicians hardening these systems didn't do their job correctly.
> But the air-gapped system turned out to be hacked because of the way USB devices are handled by the OS, something that can be very finely controlled in Linux.
This is one the key features of Qubes: All USB devices are isolated with hardware virtualization into a dedicated VM. It would protect against the USB attack.
