Interesting discussion on weightings
Just throwing this one into the mix.
Weighting of CVE severity certainly makes the numbers a bit more sensible, but being devil’s advocate, perhaps to tell who has the worst record for code sloppiness, we should also factor in market share?
One of the key trends we have seen when it comes to vulnerability discovery and exploitation is that it correlates closely to the number of machines in the wild, and there is strong evidence to show causation.
Hence the term "security by obscurity". We all know that (with the exception of government spy agencies) hackers and virus writers only target systems with a large enough pool to make it worth their time. After all, 90% of malware is written for financial gain.
The MS platforms and Adobe Flash are obvious targets because of the sheer numbers, and the potential bounty that can be retrieved en-mass from the compromised machines. Hence, more beady eyes scrutinising the code for weaknesses.
I'm not a statistician, and have no talent with numbers, but in a very generalised manner, I can say that factoring this in would make Adobe's case look a little better, but would place OSX in a very poor light, indeed, given its very tiny market share.
On the other hand, this meteoric rise to vulnerability infamy for OSX could also be a short one?
Just like Windows XP back in 2003. The very sudden explosion in broadband connected machines meant a glut of vulnerabilities that had been dormant for years, (in the NT code) but were not exploitable in any practical way. Once exposed, Microsoft worked very hard, and quite successfully, to improve the security of their OS.
Perhaps a similar story is playing out with OSX? Until very recently, there was no real financial incentive to go looking for bugs to exploit in OSX, due to the very small numbers, but with the success of the iPhone, mac numbers have swelled dramatically, and therefore has become a viable target.
Maybe Apple will wake up and start taking security seriously? Maybe it'll take an iSasser worm to shake them out of apathy?