Which would you label as "more secure"?

A) A system with deep, critical vulnerabilites.
B) A system with less critical vulnerabilities, but being actively exploited by worms or tools.

Which is more important in evaluating security? Potential for loss, or potential for attack?

I'm looking for a outline of the dread model as well as any other models to put a number on this scenario, any suggestions would be appreciated.

Thanks!