there have been incidents where people who have found security flaws have contacted the operators to point out the flaws instead of exploiting them. Most of these incidents have ended with the person finding the flaw being at the recieveing end of a lawsuit for being friendly.
As for MS. They should be easy enough to hack if people really wanted, what with their servers so filled with flaws. But if they're running the servers on non-ms machines there might be harder to hack software there. Like for example, hotmail was run on linux servers. And I quite liked their "anti unix" page which were to inform people of why they should chose MS instead of unix like environments as part of a campaign. Only problem was it was hosted on a unix server. After someone pointed it out on various news sites they quickly changed it to an MS server, but were still running mySQL instead of their own sql server.