Does windows come preinstalled and preconfigured with more potentially vulnerable software on open ports?

I personally don't value an antivirus that much, since it can only protect you from known threats, and even then, it only matters when you're already getting compromised - but fair point for Windows, I suspect most distros come without antivirus preinstalled and preconfigured.

A firewall, on the other hand, only has value if you already have insecure services listening on your system - and I'm pretty sure on Windows those services aren't gonna be blocked by the default settings. All that said though... Most Linux distros come with a firewall, something like iptables or firewalld, though not sure which ones would have it preconfigured for blocking connections by default.

So while I would dispute both of those points as not being that notable, I feel like other arguments in favor of Linux still stand, like reduced surface area, simpler kernel code, open and auditable source.

One big issue with Linux security for consumers (which I have to assume is what you're talking about, since on the server side a sysadmin will want to configure any antivirus and firewall anyways) could be that different distributions will have different configurations - both for security and for preference-based things like desktop environments. This does unfortunately mean that users could find themselves installing less secure distros without realizing it, choosing them for their looks/usage patterns.