You should judge based on active attacks
Just counting the number of vulnerabilities is a lazy way to judge the security of a product. You should count how many days something has been actively exploited.
"If we count just the critical zero-days, there were at least 89 non-overlapping days (about three months) between the beginning of 2011 and Sept. 2012 in which IE zero-day vulnerabilities were actively being exploited. That number is almost certainly conservative.."
http://krebsonsecurity.com/2012/10/in-a-zero-day-world-its-active-attacks-that-matter/
The last known active exploit for Firefox was in 2010 for the Noble peace prize which was patched in a day. Chrome has no known history of an active exploit in the wild.
Of course this quote was earlier Windows and Windows 8 is a different especially IE in win32 vs IE in winRT, but the point is Microsoft security record is probably the worst out of all the major browsers, slow to respond to threats and issue patches in part b/c of the whole patch Tuesday nonsense to pamper to lazy control freak IT workers.