In the case of the analysis by GFI... I'd have to question the validity of an analysis where Android is not listed among the operating systems. The chances of that OS having zero vulnerabilities seems to be near-zero, considering the numbers I pulled out of the NIST NVD database (below), and even if it was zero, it ought to be shown anyway, to keep people like us from rejecting the results out of hand.
Methodology is very important. We can go to
https://web.nvd.nist.gov/view/vuln/statistics to crunch the data ourselves - create our own queries, come to our own conclusions. And most likely, fool ourselves and everyone else.
As it's been said, "There are lies, damn lies, and statistics."
If I query at that page by Keyword, I have to trust that I've used a useful keyword. The query results suggest it's not a particularly accurate approach:
Query period: January 2014-December 2014: Vulnerability Criteria: Contains Software Flaws > Keyword
And here are the results:
"android" - 19.13%, "iOS" 3.35%, "windows" 3.18%, "unix" 0.28%, "os x" 33.15%, "os_x" 3.5%, "mac" 1.31%, "apple" 4.17%, "microsoft" 4.55%, "google" 20.98%
Why is "os x" so high, while "mac" and "os_x" so much lower? Most likely, choice of keyword, as the database uses the "os_x" format in version-naming. (just plain "os" returns 57.67%).
Overall, Keyword seems to paint with a very broad, sloppy brush.
The search page also allows us to search by CPE Name, where both Vendor and Product are selected from drop-down lists. That would seem to be the more accurate way to go, but every .dot release provides separate results. To aggregate results for, say, all iOS 8.x releases, one has to do a lot of number crunching, apply various weighting factors, such as duration of release, adoption rate, whether the individual vulnerabilities are being counted twice (once for each version to which it applies), etc. By raw, unweighted measure, for the period of January-December 2014, iOS_7.1.2 is at 0.57%, and iOS_8.0.2 is at 0.14%. Of course, 7.1.2 was a final, stable release that was in service throughout 2014, while 8.0.2 was released in September and rapidly superceded.
