Yeah, that's the problem. LSWS runs atop and alongside a whole heap of third-party code, and depends on much of it, in some ways critically. So they would also need to meet a certain level of trust. It can be done, but it's harder to get all the boxes ticked.
At least when MS are cooking up a solution, they write and own everything right up from the networking code to the OS to the web server etc, so they can tighten it all up together and audit it all as a package.
Oh, and yes, MS can write secure code. IIS is now extremely secure and stable. I get all the security vulnerability newsletters and you could count the publicly identified vulns on any version of IIS since about 2003 on one hand, if that, in marked contrast to just about every other web server out there, esp. stuff like Apache 1x or 2x. They did a good job with IIS. Credit where credit is due.