I think that the real villain of the piece is the woman who wrote that ZDNet article.

She took these "vulnerability statistics" then tried to correlate them to "market shares"

As has been noted, these are "vulnerabilities" (not neccessarily exploits in the wild) and they very largely relate to applications (the majority of which are third party).

What she seemed to be implying(?????????????) is that as there were only 800 MS vulnerabilities and 2,300 *nix ones, if *nix were as popular as Windows it would get swamped to a much greater extent.

My point is that you would have to be running the application in the first place? and your setup would have to permit an exploit to run.

I would make the observation that as MS Windows is closed source single ownership, they can take a much harder line over standards in their business partners than the open source community can. That makes these statistics totally unremarkable to me

Also, as the MS platform is by far the largest, there is fierce competition amongst Apps suppliers to that market? If they get a reputation for "sloppy" they are toast?

The "scoring" seems to be rather arbitrary also................for example if I write a bad application with 100 vulnerabilities and maybe 1,000 customers, I make that platform look a lot worse than an application with one vulnerability and 50,000,000 users?

I do believe that you should make a very clear distinction between applications and operating systems. I also believe that you need to consider mitigating circumstances and potential damage?

I see a lot of these articles and subsequent discussions, but remain very sceptical as whether we have sufficient data to determine anything like the true risk or potential impact. For example, there are quite a few patches I don't apply because I just don't do "that" or even have it installed?

Just my thoughts (but I don't have to churn out articles like a hamburger machine for a living )