Of course any computer is vulnerable if you have direct local access to it, or if you're silly about passwords. The book The Cuckoo's Egg documents various hack attacks on UNIX that took place in 1986, in which secure military systems were brought down by "human factors", such as weak passwords and "social engineering" (i.e. call someone up and ask for the password). There were also remote attacks such as the Morris worm, which exploited some known bugs in UNIX processes. When we talk about systems being vulnerable these days, we hope that people and designers have learned from these and other past vulnerabilities and closed them off, but of course it's not guaranteed.

One main difference between UNIX and Windows systems, in the past, has been that you had Windows users running with administrative privileges at all times, while the "root" user on a UNIX system was clearly defined as "only when you have to". You could log in as root and do work, but if you read any books or received any training, you were left in no doubt that that was a Bad Thing. If you're running e.g. a web browser, it should be running under your limited permissions, why would it need anything more? Normal UNIX users had no choice in the matter - permissions were enforced by the sysadmin.

Which wasn't a problem at first, since UNIX systems were always designed to be run by a trained sysadmin, but if you're going to roll out UNIX (Linux, Mac OS X, etc.) to users who are not sysadmins, you have to give them a way in, which led to the "su" or "sudo" method. This gives you temporary root permissions using your own password, not a root password. You launch an application with "sudo" do what you have to do, and close the app. If any application were to try that, you get asked about it - is it necessary? If that sounds like what Microsoft has been doing with Vista and W7, it's not a coincidence.