You need to comment on patched as well as unpatched bugs - a lot of users don't upgrade their software (even if auto-update is turned on). That said, where is Internet Explorer in the "report"? The fact that it's entirely missing makes me assign no
credibility whatsoever to it.
Also, when looking at vulnerabilities, count is nothing
of the vulnerabilities is everything. And the severity labels that various security firms give aren't always correct, imho. Sure, a cross-site scripting bug is bad, and it might even be "severe". But it's a shitload less critical than something that can lead to automated remote code execution.
Bottom line: FireFox is still a bunch more secure than IE, and because it still doesn't have market dominance it isn't targeted as much as IE either, giving an even bigger advantage.
It is an interesting approach to security though - which apps have know issues? Surely it is the unknown issues that are the problem!
Yes and no. "Unknown" issues means that generally only a few people know of the bugs - the kind of people who're interested in keeping this knowledge to themselves, so they can attack really specific systems. Once exploits are used for zombie botnet purposes, they get known really
fast - and it's the automated zombie-harvesting attacks we
need to worry about.