Re: I wonder how they measure vulnerabilities in Gentoo and Solaris.
I just had a look at Secunia's database, and it looks like they count vulnerabilities in all the software that can run on Gentoo against Gentoo itself. In other words, a Java vulnerability counts against Gentoo, and so do problems with Chrome, Flash, etc. I don't know how they end up with fewer vulns for Gentoo than for Chrome alone, but that might just be because Gentoo might lump several Chrome vulns into one notice.
Secunia is counting by vendor, and since Gentoo redistributes lots of third party software then all the third party stuff which could potentially get installed gets counted against Gentoo. On the other hand, the exact same software may have the exact same vulnerabilities on MS Windows or Apple OS/X, but it won't be counted against Microsoft or Apple because they didn't distribute it.
I think Secunia simply counts notices put out by vendors, they don't actually analyze them and apply any judgment. This means that the more conscientious and detailed a vendor (or distro) is about informing their customers (or users), the higher the vulnerability count they will have.
It also means that you can't actually compare vulnerability counts between vendors unless they operate, distribute, and report in a similar manner. That would just be comparing apples to oranges. I'm sure though that won't discourage our favourite anonymous security commentard from ignoring the facts and stuffing both feet in his gaping pie hole. Let me save him some trouble - "Microsoft had zero vulnerabilities while Linux had seventy-bazillion and caused global warming as well". There, now where do I pick up my cheque from Microsoft?
As to why Gentoo has loads more security vulnerabilities reported than any other distro, I suspect that is simply due to differing reporting and repo support policy. If another distro has smaller supported repos with fewer third party software packages, then they will pretty obviously have fewer vulnerabilities to report on to their users. Note though that I said supported repos. Different distros have different support policies.
I'm not sure what the story is for Solaris. I didn't bother looking them up in the database, and I'm not sure what their distribution, support, and reporting policies are. I wouldn't be surprised though if a lot of the apparently high vulnerability count is also simply due to double counting of non-Solaris related problems combined with a long support life.