The scenario is: somebody without concern about security is navigating through the web. This person will access doubtful websites, like adult content or media sharing, for example.
Between a pc with Windows and a smartphone with android, which one is a less bad option for this person? If the answer change depending on windows or android versions, please specify this versions.
First, here I compare an up-to-date Android phone which receives regular updates with a Windows PC which receives regular updates. While this might be the normal case if you buy a PC with Windows 10 it is not guaranteed if you just buy a cheap Android phone. Thus, I assume that you use a vendor and product known for its good product support, like phones from Google or the Android One phones. Even then the phones will only get updates for a few years, which is usually not as long as a PC would get updates. Thus, you might need to replace the phone after a few years with another one.
With this in mind ...
The security features of the underlying OS in terms of protecting the applications itself are basically the same, i.e. both provide hardening of the kernel, offer layered security with sandboxes inside the browser etc.
One major disadvantage of Windows compared to Android is that in Windows all applications started by a user essentially run as the same user and can thus affect each other. This means that a compromised word document could lead to the installation of malware which could read the password store of the web browser. In Android instead the different apps are more isolated between each other since they are running as different users and data have to be explicitly shared between the applications except for data stored on some common storage where all apps have access.
Another advantage of Android is that applications are usually installed from the Google Play Store and the user needs to be explicitly go into the settings and allow apps from third-party places to be installed. And while Windows has some kind of app store too it is currently common to install apps just downloaded from the internet, from some CD-ROM or an USB drive. This attack vector is actively used to trick users into installing some apps, because they are allegedly needed to view a video on some (usually illegal) video sharing site, allegedly are the security update for Adobe Flash which is needed or similar. While an app store like the Google Play Store might contain bad apps too (and often did in the past) it is still much less likely to get a bad app from the app store than one would get from just downloading something from the internet. And, as explained in the previous point, the harm a malicious application can do in Windows is significantly higher than what it can do in Android.
Additionally entire classes of attack vectors which affect PC's are not relevant on Android phones: there is no Flash, no Java applets, no macros in Office documents, no EXE, SCR, ..., which means many of the typical malicious payloads in mails will simply not work. Credential phishing done through mail or by tricking users when browsing the web is relevant on both platforms though.
One main disadvantage of a phone vs. a PC is the smaller screen size and therefore reduced information and the ways information can be displayed by interacting with the device. For example there is no such thing as hover over a link or click right for a context menu in order to receive more information about the real link vs the claimed link. Often the URL of the visited site is also not shown to save crucial screen space for the actual content. But, given your intended non-technical audience this loss of information might not be that much of a problem since this kind of audience can probably not deal with this detail of information anyway.
But in summary I think that an Android phone which is currently up-to-date and will be kept-up-to-date (which means buying a new one after some years) is the better choice for a non-technical person with only a few needs in terms of communication, i.e. basically web browsing, mail and messaging.
It depends on the user's behavior.
Windows is extremely susceptible to people who open spam emails, double-click an attached file, and click away that UAC prompt so they can view naughtygirl.jpg.exe.
Windows is also very susceptible to people falling for malicious "you got a virus, install our tool to remove it" advertisements.
A phone makes it easier than Windows to download apps which use unethical-but-legal exploits, usually gambling/addiction based in app monetization. Some people will claim that has nothing to do with security, but if the user suddenly loses $1000 without realizing, that should be considered a security issue.
A phone is far more likely to be on an outdated OS version with known critical vulnerabilities.
Windows is more likely to run sophisticated Anti-Virus software, which will also provide some protection against some other attacks, depending on the specific AntiVirus software.
If the risk of data corruption is considered a security concern, some phones with some SD cards are more susceptible to random file system corruption than an average Windows machine.
Phones often have superior built-in backup solutions compared to Windows, which will addresses some security concerns.
Phones are more likely to be lost or stolen.
There are some malicious websites that grab phone numbers of the visiting device, and then falsely state you subscribed to a premium SMS service. Only works if the service provider cooperates with the scam, so it depends on your country and service provider.
The above list is incomplete, and everything on the list can affect both phones and Windows machines, but statistically speaking each of them is more of a problem on one platform than the other. Many of the issues can also be specifically addressed with settings, 3rd party software, or user education.
In conclusion, it's close enough that the difference in security can be ignored when deciding which device to get. More relevant arguments are form factor, user preference, and Windows Update's tendency to reboot the PC without asking.
This is actually a complex question. PC web browsers typically have better sandboxing, and security is a bigger focus. The operating system will expose numerous security features for the browser to use. However, a modern smartphone is also much more resistant against harm caused by the compromise of an application such as a browser. Because of how integrated and monolithic smartphone operating systems are, each individual app can be run as its own user, isolated from every other program. PCs do not come close to this level of isolation and a compromised browser is game over.
If you're unable to prevent the user from doing stupid things, they will catch some malware at some point. The best thing you can do is preventing that from happening too often, and providing a way to reset to a "known good" state easily.
Which is why Uroc327's "not completely serious" suggestion should be taken a bit more seriously: use a PC, install virtualbox, create a vm and a "known good" snapshot, confine web browsing to that virtual machine, automatically reset the machine to the snapshot every time it gets started. And to migitate against most malware from the web, use Linux instead of Windows in that virtual machine. Make sure you aren't using any shared folders so whatever happens in the virtual machine can't infect the "main" PC.
This won't help against all kinds of attacks (javascript crypto miners can still eat up your cpu), but it will help against most - neither the nude_celebrity.jpg.exe file nor the "your pc is infected, download this" scam will even run withing the virtual linux machine. And browser extension malware which opens "your PC is locked, pay 1 Bitcoin to get it unlocked" scare screens can be removed by just resetting to your known good snapshot.
This still gives your user a big screen (a smartphone is great for looking something up while you're away, but not for seriously browsing the web), and eliminates the problem with in-app-purchases or paid apps that you'll inadvertently get with Android and/or IOS.
Source: I did that with my (80+ yo) Dad's computer last year, and the number of "something is messed up with the computer again" support calls dropped significantly since then.
