Yeah, that was the point I was trying to make. Sure, you can say that Windows is "more secure" than Linux because the past three months Microsoft has had fewer CVE's...but then you figure up the "severity score" average and note that M$ has an average severity of 7.8 compared to Linux's 4.8 (numbers being pulled from the air, no basis in reality).
What does it mean? It means you're comparing apples to oranges.
If I run OpenBSD on my entire multi-million dollar infrastructure, and there exists one zero-day in OpenBSD that hasn't been patched yet and is remotely exploitable in the default install, what does it matter if there are fewer CVE's? See what I did there? CVE's aren't the problem, they are only a partial symptom of the problem. Granted, the odds of that occurring are incredibly low compared to "mainstream" operating systems, but it doesn't mean it *couldn't* happen.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Last edited by rocket357; 9th April 2013 at 09:03 PM.
|