Stop counting CVEs!
I can well believe Windows has got to a stage where security vulnerabilities are not as prevalent (relatively - they're probably absolutely more prevalent) as they once were, but...
Stop counting CVEs!
It's not even accurate enough for a ballpark figure.
CVEs are public (after any embargo). Not all security vulnerabilities are made public, and Microsoft are as guilty as, if not more than, any other vendor. Its CVE counts like this that actually encourage vendors to avoid disclosure if at all possible.
Microsoft handles its own CVEs, as do other vendors such as Red Hat. Sure, they all have guidelines on what to issue CVEs for, but all CVEs are not equal. A single CVE identifier is supposed to cover one issue, yet Microsoft has been known to issue one CVE covering many vulnerabilities.
Disclosure of security vulnerabilities is not exposure to security vulnerabilities. The timely disclosure of vulnerabilities is more likely to prevent exposure because it gives those actually maintaining the systems the opportunity to mitigate the vulnerabilities. The very fact the Microsoft complained about Google's 90-day disclosure policy, that's ~3 months by the way, means they are not fixing vulnerabilities they know about in a timely manner. You can't assume that just because a vulnerability is not widespread public knowledge that attackers don't know about it. This goes even more so for a vulnerability that has already been reported to the vendor -- at least one other actor, the reporter, knows about the vulnerability, and you should assume that others do too.
Biting the hand that feeds IT
