They want to say the number of vulnerabilities increased in a certain period, then they have to compare that to another period of the same length.
Not true. You can work out the average speed of a car over 10 miles and do a straight comparison with compare another car over 20 miles. There is no difference here. It's simply a rate. You don't need a common divisor.
If you have 10 vulnerabilities from January 1st through June 30th of 2014 and you have 10 vulnerabilities from January first through December 31st of 2013, that does not mean the number of vulnerabilities has increased by 100%.
The number of vulnerabilities per time has, but the number has not. Both numbers are 10. 10 is 0% more than 10.
They're making a prediction on the total number of vulnerabilities based on the rate of vulnerabilities. That's fine, and it's pretty safe to assume it will end up being fairly accurate. But you cannot say the total number of vulnerabilities has increased 100% unless you're directly comparing total numbers and not rates. The rate of vulnerabilities is 100% higher, vulnerabilities in 2014 are on track to be 100% higher, and possibly the number of vulnerabilities in the first half of 2014 IS 100% higher than the number of vulnerabilities in the first half of 2013, or second half, or last 3 days, or whatever you want to compare against.
They're comparing rates and extrapolating predicted totals and then making a factual claim regarding the totals for 2014. That's simply wrong. 2014's totals are not yet known, we simply have a lower bound. Compare rates and make your claim based on the rates, or compare 6 months in 2014 to 6 months in 2013. Which 6 months is up to you - you could choose the first half, the second half, the even months, the odd months, the months with the most vulnerabilities, the months with the least vulnerabilities, etc.