Just a total mess.

mi2g does not differentiate between:

On the Microsoft side:
Win9x
NT 4.0
Win2K
WinXP

So, WinXP could have ZERO vulnerabilities and Win2K could have all 500+ reported for "Microsoft Windows".

Not to mention that "MacOS" could mean the BSD derived MacOS X or a previous version.

Their data is MEANINGLESS.

Instead of breaking it down by PLATFORM vulnerabilites, they break it down by..... I don't know how to define that.

All Microsoft OS's in one category.
All Mac OS's in another.
All "Linux" distributions in another.
and so forth.

Not to mention that they even ADMIT that they're including APPLICATIONS and 3rd party programs in those totals. (Now, I don't have a problem with this IF the application updates system files as IE and MS Office do.)

For vulnerability analysis to be USEFUL it needs to be broken out as such:

The platform (Win95, Win98, WinME, WinNT 4.0, Win2000, etc).

The platforms would be broken down even FURTHER if a vulnerability was noted on the workstation version of Win2000 that did not exist on the server version.

THEN, I'd look at the various IE vulnerabilities. MS claims that IE is part of the OS, but it is possible to not update it.

THEN, I'd look at the various MS Office vulnerabilities. This is because MS Office is a MS product that updates system files. Also include any other servers / services that MS offers (IIS, SMS, Exchange, etc.)

Linux gets off A LOT easier under this model. This is because Linux apps do NOT (that I know of) update the OS.

Again, each platform would be evaluated. This way, if Red Hat included a patched kernel and that patch had a security flaw, it would not show up as a vulnerability for a distribution that did NOT apply that same patch.

The point is that, when you have a CHOICE in the matter, it is POSSIBLE to CHOOSE to NOT RUN applications that are from a known, crappy developer.

Example, running a WinXP based website. Which, historically, would have the fewest vulnerabilities:

#1. WinXP + IIS

#2. WinXP + Apache for Windows

Now, a bit further. Which, historically, would have the fewest vulnerabilites:

#1. The "winner" of the above choice.

#2. Debian Linux + Apache

Note the use of "historically" in those examples. Because that is all you're getting. The HISTORICAL comparision. The CURRENT versions MIGHT have COMPLETELY DIFFERENT characteristics.

PS: Fred Moody is an idiot who has seen all of his predictions about Linux proven wrong. My favourite is how Linux would get LESS STABLE as it gained MORE SUPPORT for MORE HARDWARE.

Welcome to IWETHEY!