i think this report is an excellent reflection not on the quality of either the windows or linux operating systems but the uselessness of aggregate reporting. the vulnerability definitions and set definitions are so informal the border on non-existent.

a service/daemon flaw that allows an authenticated local user to execute arbitrary code as a guest/nobody user is viewed the same as a remote icmp flaw that binds a shell as administrator/root. a vulnerability that requires the system to be configured in a manner dramatically different from both the default and industry best practice is viewed the same as one present in the universally agreed upon most secure configuration.

all of this without even considering factors already addressed such as scope of use.

the only vulnerabilities worth indexing are those found in the given operating system's security enforcement mechanisms and for true comparison the date when the vulnerability must be recorded along with its discovery. until this is done there can be no effective comparisons since the scope and duration of vulnerabilities remain unknown.

once this data can be reviewed with iso15408 evaluations and access control model expressiveness mappings true universally agreed upon comparisons of operating systems will be a reality.