After listening to some Sophos podcast about how malware actually works -uploading code to exploited websites which subsequently exploits web browsers - I had a thought... most of the web is composed of Apache servers. that means Linux and Open Source...

are the exploits based on the software, or just bad programming practices for the websites themselves?

I'd say in more often than not the sites belong to someone who has put the site up FOR malicious purposes, this is pretty obvious, although it's not unheard of for a server to be compromized and then exploited in like manner.

I think the vast majority of these on legitimate sites are a result of SQL injection flaws, which have nothing to do with the OS or web server. They're errors in the web application that can't be fixed at a lower level because as far as the server is concerned everything's working as it should.

That said, Apache and Linux security holes do exist so you always have to be vigilant with your patching. When people aren't, things like this can happen. But of course that's not specific to Linux or Apache either.