I think Ubuntu (and almost all other Linux distros) suffer from the same problem: there is no real security coordination during development. Compare that to OpenBSD which very rarely needs to do emergency security updates.
With that said, Canonical updates the whole system and all applications. Microsoft updates only the core system, even Office is not updated unless you manually opt in.
I think it's more due to the sheer surface.
And for comparison, I think Ubuntu updates almost as much. It just reboots less due to architectural differences.