July 2007 Operating System Vulnerability Scorecard
I ran across this vulnerability report. The goal of which appears to be to show that Windows Server 2003 has fixed significantly fewer flaws than various other operating systems. Upon reading the report, the first thing that popped into my head was "But what about the things that aren't fixed?" There are quite a few reports like this, none of them really say much. We can safely say that any report is going to show that lots of things get fixed in operating systems that contain lots of things.
I wouldn't mind seeing an report about the various outstanding flaws in a given system. Such a report is likely impractical to produce, as it's a full time job to track outstanding flaws, but it would no doubt be useful. It's very easy to draw the shortsighted conclusion that the more flaws a vendor fixes, the more insecure their product is. It would make just as much sense to say that the fewer flaws a vendor fixes, the more outstanding things they are still vulnerable to.
