The problem is that .NET is still based on the Microsoft platform which inherits Microsoft's past attitude to the priority of security.
Sure, the CLR provides a sandboxed enviroment using methord call type and argument checking, preventing buffer overflow and misstype attacks, but it does not provide much protection for failure in application/program logic of the underlying DDLs and Servers. For example, type checking would not provide protection against malformed URLs passed to IE.
See "Meet the future of Windows security exploits
Even Bill Gates acknowledged this issue in his recent "leaked" email.
"As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company."
If you say that this issue must also effect Java on the Microsoft platform, well, yes it does.
However, from what I have seen of the C# and CLR interfaces,SUN's Java accesses external interfaces though a higher level of abstraction. This provides a small measure of protection against potental failings in the externel application logic.