Either can be perfectly secure (…just leave the disk in the box 
) or perfectly insecure; depends on the decisions that you make. Choose passwords like ‘password’ and you are not going to have much chance, irrespective of your choice of distro.
Having said that, some distros are better at responding rapidly to advisories, and while that is a real difference, you can completely negate it by not doing updates in a timely manner.
While I don’t really like the way that Ubuntu handles the root account and some of the defaults, you can make an adequately secure box with either (assuming some stuff like physical access control) assuming a level of competence on the part of the administrator and assuming a level of competence on the part of the administrator, the fact that some defaults are, err, unhelpful can be overcome.