Re: SourceFire report
That thing is so full of bad statistical practices that it would be a lot shorter to list what they did right than what they did wrong.
The good news, if there is any, is that it doesn't look like they're playing favorites and trying to make one thing look better or worse than it really is, they just aren't that clueful about how to properly present this type of information.
The other problem is their sources of data may be suspect. Who determines whether a given vulnerability is critical or severe or whatever, and have consistent criteria been applied throughout the past 25 years? I very much doubt that. Not to mention that back in the 90s, there was a lot less attention paid to the issue.
For example, Windows NT looks a lot more secure than any other version of Windows based on the number of vulnerabilities, but people just weren't looking very hard at it compared to how much attention is paid (literally paid, as there's a lot of money in it now) to finding Windows vulnerabilities today.
If someone offered a bounty of $10,000 per critical security issue in Windows NT today, I'm sure that total would grow by leaps and bounds - a lot of it by finding "yes, this bug that was recently found in Server 2008 is present in Windows NT as well, but no one had bothered to look because no one uses Windows NT anymore"