and here: http://secunia.com/advisories/product/21625/
FF3 and IE8 are about the same age. In the same time frame FF3 has raked up 144 vulnerabilities. IE8 has experienced 23.
Apparently you did not even read your own source! QUOTE FROM YOUR OWN SOURCE:
PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.
Please go and read your source, they make this point for me.
We have access to Microsofts Security Bulletins - which are among the most detailed in the industry. Admins depend on those bulletins to be accurate. They need to make the right decisions on whether to block or allow patches. What do you think would happen if MS tried to sneak a patch by and it turned out to cause damage to systems? Simply put, there's nothing to support a suggestion that MS is sneaking anything by.
Wow, talk about calling your own objectivity into question. "The most detailed in the industry" Sheesh. Are they also the most well written, prepared by the best smelling employees?
You just don't get it. You can't tell if they're telling you everything because you don't have access to their bug tracker and you don't have access to the code. The can say they're changing a font size and fix 3 major vulnerabilities without telling you.
And as for what would happen if "it turned out to cause damage to systems", let me know when their EULA doesn't explicitly disclaim liability for that.
#2) Number of exploits is a function of profitability, is has no correlation to number of security bugs or software quality
Try reading your own statement out loud to yourself. It obviously does not make sense. Of course number of exploits is correlated to the number of bugs. It don't take a genius to realize that as the number of bugs reaches zero, the number of exploits will be forced to zero as well. This section is an example where you're using terms with very specific meanings like "correlation" without any data to back it up.
#3 Time to fix is relevant. However, in this case it doesn't matter, because this was targeted attacks.
This is another case where you're assuming things you can't possibly have data for, such as when MS first became aware of this vulnerability.
This really doesn't take a rocket scientist:
Pretend you're a software vendor and you want to look good to your customers, first and foremost.
You will group software updates into batches so as give the best impression of stability and security as possible.
You will have a pressure to do this even when particular flaws might be quite severe.
In an extreme case, you might even go so far as to only release your updates on a particular day.... maybe Tuesday?