The reason is not inherant security, it's the users.
Inexperienced users never bought Win2k systems. Experienced users who recognized the great opportunity to jump from NT4 to 5, or from 98 to 5 (5 being Win2k for you younger folks) instead of having to continue suffering through Win9x made the right choice.
Once these mature Win2k boxes were set up well they ran like a top for years. If the user had it working well there was no good incentive to change OS unless you had an OEM license and bought a new PC with a XP license, or later Vista.
What about Vista? It's lower than XP because the next generation of computer enthusiasts were more eager to try it, more frequenty hardware replacements too, people more technically inclined than the average person but less experienced than the Win2k owners on average (would not apply on a person by person basis but let's face the truth, the average also comes from people who no knowing about computers but bought a new one too with Vista on it).
XP is most infected because it is the most likely OS of the average joe or jane. Also because it's been around so long, more chances to become infected. Lower real security than VIsta too.
There you have it. Win2k users are simply more security savvy. They might be older and have more disposible income so they aren't pirating as much software too, or have wives so they don't have quite so much of a porn surfing habit either. It would help more if a study could pinpoint infection method.
rsud, you assume Win2k means an old system but it is the superior OS for the newest gee whiz bang PC too. It has a clean no nonsense interface, less annoying n00b help than xp or vista, a smaller footprint and higher performance. It supports the vast majority of things that run on XP, apps and hardware drivers, without the negatives of XP. It has slightly lower inbuilt security but it's mostly irrelevant because it is not OS that usually reveals a security flaw, it is a weak application like the browser, email client, or poor user choices. There is nothing different that needs to be targeted for 2K, someone writing an exploit for XP would almost always infect either 2k or xp. They are very similar except in some ways xp more secure, in others not as much also depending on service packs and patches applied, but in general they are the same for the purposes of a virus author wanting to maximize infections by writing for as many windows versions as possible.
dmacfour, XP is not particularly instable, either your drivers, system or applications are. Blame the right problem. If you get a virus regularly, you are doing something wrong and maybe that is why it is instable too. There are plenty of viruses out there that can't be detected by antivirus software yet, if ever. Maybe I should write that you are doing something right, it seems you need Vista to stay secure so for you the bloat at least adds some features you find useful for your online protection.
Malware authors are not targeting OS so much at all, they are targeting entry points with code that could run on windows in several versions. It is possible because windows has compatibility, that helps a virus writer as well as an application developer.
Basically the data didn't support the report conclusion. The information was that systems running win2k were less infected than vista, but that alone does not resolve why.