If you don't know already, here is an indirect answer. I'll quote directly from Bill Gates latest speech:
Now, in terms of delivering on more secure systems, I think there are three general things that we do. The first is advancing the technology. We spend over US$6 billion a year on research and development. I'd say that over a third of that is directly security-focused, and the other two-thirds all tie in and relate to that security work, all the new code being reviewed and going through the threat model, a pretty dramatic thing there. So, big advances on the technology front, and I'll spend most of my time talking about the milestones there and the road ahead there.
Note the text in red. It simply states that Microsoft is spending over two billion dollars yearly on security R/D initiatives.
While mind boggling, I would point out that this effort is still an ongoing process. Security is a hugely complex problem, and it is not just fixing buffer overruns in various Microsoft products. That, actually, it is just a small part of the problem. All our effort to ensure better education about how to secure their systems, automatic patch management systems, anti-spyware initiatives - it's all there.