The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings). http://www.informationweek.com/
That could help explain a bit of why.

As for the end of the year report, that's sure a heck of a lot of reading!