It's not down to the OS or OS vendor. Most rootkits are exploiting bugs, not intentional backdoors, and many of them are exploiting bugs that are not in the OS but in third party applications.
E.g. a common approach is to look for common third party applications that require admin/root privileges for some part of their functionality, and look for ways of tricking them into executing your code (via e.g. buffer overflows, or by finding ways of modifying the configuration with lower privileges).
So unless you never install third party software, you are potentially vulnerable even if the OS is flawless (and it isn't - no matter which OS you pick).
E.g. a common approach is to look for common third party applications that require admin/root privileges for some part of their functionality, and look for ways of tricking them into executing your code (via e.g. buffer overflows, or by finding ways of modifying the configuration with lower privileges).
So unless you never install third party software, you are potentially vulnerable even if the OS is flawless (and it isn't - no matter which OS you pick).