"For example, unlike Windows, the Linux Kernel can be upgraded independently of the rest of the operating system; therefore it is hard to link Linux Kernel vulnerabilities to a specific Linux distribution or Linux distribution version."
If Florian gave a fuck about producing an accurate or useful picture for the punter, all he had to do was pick a distribution, and take an inventory of the kernel revisions that got punted with that distro over the year. It's not hard, the information is in the public domain.
Instead, Florian has decided to use a methodology that produces a figure that isn't representative of what a real world Linux user would encounter (because in practice distributions ship a small fraction of the kernel revs that are out there), but just happens to be the biggest possible value he could arrive at with the least amount of effort.
He really shouldn't have bothered.