The problem is that the core Linux kernel maintainers have no real interest in security, and atleast Torvalds has outright stated that he doesn't care more about it than fixing other bugs.
I'm much like that myself (not that I've written much for a long time), I view all bugs as bad.
One of the differences with Linux is that there's a number of tools available to mitigate effects of a bug, and a number of ways around it. Sure, kernel stuff isn't necessarily so easy to swap in and out as your DNS systems or other systems, but if I wanted to I could view and modify the code, and if a kernel bug became a security hole when Bind is used, I could switch in DNSMasq or some other alternative instead.
With MS, even the default browser is (according to them, at least pre 10) built tightly into the core of the system, and therefore cannot be extracted, so that a bad web page can affect the deepest levels of the OS. I'll take a bunch of disorganised amateurs over that level of "professionalism" any day.
It's not about some secret Linux maintainer conspiracy to reduce the CVE counts. It's about the fact that there is no real process in place to analyze the security impact of bug fixes - it's all done ad hoc.
It may be - after all much of the work is done by a bunch of amateurs in mom's basement :) Thing is, it works. The well-paid highly organised coders over at MS send out security blunder after what-the-fuck-were-they-drinking security blunder. Linux has a small few "WTF" ones, a few normal ones, and a few "No one ever thought to test for that until now", but neither the quantity nor "quality" of security foulups that MS produces, esp among the more stupid ones (such as the article is about - Linux quietly fixes lots of bugs some of which may be undetected security flaws whereas MS loudly fixes security flaws, but doesn't make the actual details of the fix (or workarounds/mitigation) available to anyone, and while white/grey hats are trying to work out what it is to help stop any exploits, blackhats know there is an exploit there to be found and focus their efforts on to it.
Neither is perfect, but I prefer the results of the Linux method - if it can be called a method...