Here are some possible answers:

1. The Different Accounting Approach: Enron looked good for years because of how they reported their finances. How does each vendor/project count vulnerabilities? Maybe reasonable people will come to different conclusions on how to count vulnerabilities. This one doesn't hold up to well. Not all vulnerabilities are self reported and some vulnerabilities may have been found and patched by not listed in a public vulnerability database but would that pattern vary much from the rate of disclosed vulnerabilities?

2.The OS is Only Part of the Equation Approach: We don't live with OSes alone. We use browsers and desktop applications so we need to account for vulnerabilities in those applications, too. I think this is a reasonable question if we are looking at a holistic view of security. Maybe Firefox and Vista is the optimal combination of browser and OS.

3. The real test is in use. How much malware and spyware is on Vista platforms vs the other OSes? How secure are typical configurations? The report doesn't cover this and at the end of the day this is the question that really matters.

Vulnerability counts are not perfect measures but Microsoft deserves credit. Vista's first six months have been better than XP's and by at least one set of measures is doing better than some Linux distros.

This is a good thing and shouldn't be turned into a slash-and-burn winner-take-all brawl (this isn't contemporary American politics after all). The best possible outcome of this report is that Microsoft decides it wants to stay ahead of the competition and continues to improve on Vista while Linux developers make it a point to prove they have the most secure platform.

We're all in this together and we're all going to be better off if we have more secure OSes and fewer point-counterpoint arguments that don't advance that goal.