Terrible Journalism: Linux/Unix Vulnerabilities Outnumber Microsoft Windows' 3 To 1

Information week wrote an article yesterday that hardly qualifies as good journalism:
Linux/Unix Vulnerabilities Outnumber Microsoft Windows' 3 To 1

The summary of the article:“Linux and Unix, including the Mac, had 2,328 vulnerabilities last year, compared with 812 vulnerabilities for Microsoft Windows, according to the U.S. government's computer security group.”

I was going to explain why this was a terrible article, but someone on /. already did a good job so the following comment posted by
molnarcs (675885) sums up my thoughts exactly:

And I quote:
“There are at least 12 distinct operating systems in their list - Solaris, Cisco, SCO Unixware, OpenBSD, FreeBSD, NetBSD, HP-UX, AIX, HP Tru64, MacOS X, Linux variants like SuSE, Debian, Gentoo, RedHat (I counted Linux as one, even though most of the vulns. are found in their specific configuration/management tools). Add an arbitrary number of applications: KDE and GNOME, that in itself has more apps that are counted for Windows, every free SQL database server, mail server, (LotusDomino for Christ's sake!), imap client, ftp client, ftp server, etc...

Now we have a comparison of a single operating system (Windows) + apps running on it with at least 12 distinct operating systems + 10x the number of apps that was counted for windows. The result is rather surprising: there are JUST 4x more bugs in 12 operating systems + 10x more apps than in windows + windows apps alone! This result is much more unfavorable for Microsoft than to any Unix/Linux OS!

Of course, the fallacy of the comparison is that it suggests that Linux or Unix is an Operating System. For someone who does not look at the details, it might seem that installing a specific Linux or Unix operating system is more risky - hey, there are more bugs found in Linux/Unix, that's what the article says! In fact, the opposite is true, if you look at the details.

Not that the comparison is useful in any way - why are Safari bugs counted at all? Safari runs on OS X only, so you can't just dump safari bugs into linux/unix bugs category (how retarded is that?). Why are bugs found in SuSE YAST counted as Linux bugs? They have nothing to do with linux or unix - they are specific to one operating system: SuSE linux (the same applies for all the bugs counted in Debian, RedHat, Gentoo, etc.) Not to mention the duplications: Eric Raymonds "Fetchmail POP3 Client Buffer Overflow" is counted 5 times for linux and BSDs. There are duplications for windows as well though. In other words, this list or comparison is pretty much unusable.”