Security changes between Windows 2008 (Windows 7) and 2008 R2?

Windows Server 2008 R2 is not "a different release of Windows Server 2008": it's the server release of Windows 7; this becomes immediately obvious if you simply compare the taskbar of Vista, 2008, 7 and 2008 R2. It also results from the version numbers, as Vista/2008 are NT 6.0, while 7/2008 R2 are NT 6.1.

Yes, I know the name is quite misleading; moreso as Windows Server 2003 R2 actually was only an interim release of Windows Server 2003, i.e. exactly the same O.S., but with some additional features.

Specifically to your question : I couldn't quickly find a summary of R2 security-related changes, but IIS was upgraded to 7.5. So, there's the broad answer to the question : IIS had a serious update with Server 2008 R2. You could probably look into the documentation for IIS 7.5 to find a decent list of new features.

I'm going to comment a little bit here - a lot of your questions are getting closed because your tone seems argumentative. If you dislike Microsoft, or things that other sysadmins/co-workers have told you that you found to not be exactly true, casting questions in that light does not incline many of us to go out of our way to answer your questions. A lot of your posts don't seem like you're trying to solve a real-world or business problem, to me they seem more like kvetching about something that doesn't make sense to you.

There are a variety of security changes in 2008 R2, specific to Sharepoint would be the negotiation authentication enhancements which offer improved single sign-on options particularly in light of the option in Group Policy to restrict NTLM Authentication and introduction of PKU2U.

There is also online identity integration, a new version of TLS and probably a couple of other things I'm missing.