Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"
For the thousandth time, counting CVEs does not indicate relative security levels. Different companies handle them differently. Apple for instance applies for a CVE number for every single issue they find, even those discovered internally. Most companies do not, and only get CVEs assigned for threats found by outsiders. Also, if you find five different issues in a certain module, some companies will have a single CVE assigned, others will have five assigned.
Finally, Linux has a ton more software included than Windows does. Not only that, but Linux often includes multiple versions (i.e. MySQL, SQlite, and so on...) If you count CVEs in Windows you won't end up counting CVES found in SQL Server, and if you add those in that's only one SQL package.
A company that does a good job of looking for and fixing security issues will look relatively worse than one that doesn't do any investigation on its own, and relies only on outsiders to find and report threats.
Counting CVEs to compare security is sort of like comparing automobile deaths per capita as a way of assessing how safe drivers are in different countries. It completely ignores more important stuff like what percentage of the population drives a car, how many miles the average person drives, the age/safety of the typical car, etc.