Yes, I've just read that and personally I think the jury is out still.
Thor's research does show an exploit but there's a number of reasons why it's possible. The exploit is an old one where you pass off a command line to a URL helper for things like gopher: or telnet:
On OSX, URL helpers run through Launch Services which is where I suspect Apple places it's security checks. Safari I'd think itself isn't responsible for the security.
On Windows there's no such thing so the program that passes off the URL or gets the URL has to filter it. It would seem that the Safari team overlooked the fact that Windows sucks ass for security and will have to do their own filtering. Also implicated is Firefox I'd say since it appears you can pass it an exploit on the command line and it'll happily suck it right up.
Perhaps I'm wrong here but the upshot is that browsers on Windows need to do a lot more checking than they'd do on MacOSX.