Interesting study by Google on the distribution of malware across different web servers. They took a sample of 70'000 sites so it is a good indication of what is being compromised to serve up malware to the public.
The breakdown by server software is depicted below. It is important to note that while many servers serve malware as a result of a server compromise by remote exploits, password theft via keyloggers, etc., some servers are configured to serve up exploits by their administrators.
-- Google Online Security Blog: Web Server Software and Malware