I'm still not sure how you think a WM device is infected. I assume we can eliminate a user who installs a virus because that can happen on any device. So it sounds like you think a WM device can be infected by just hitting a web site which I can't find a record of, at least not recently.
A virus cannot magically install itself on any device. It needs someone to open the door (install) or it needs an open window like a listening service. The classic examples are IIS for web servers and SQL or database servers which are created to just listen for commands. I'm just not seeing these "many known security vulnerabilities".
Related to the topic, it seems that the top rated security devices are based
on Windows CE but it does say that both BB and WM are able to work with "sensitive, but unclassified" data. If WM were so bad I'm not sure why it would be put in the same boat by the government as BB, unless what I'm saying has some truth to it and both can be made secure through proper administration. Or maybe I'm wrong.