Oh, and I forgot to mention.. what about 'second year' or 'third year' vulnerabilities? By this time, the OS has begun taking hold and I'm quite sure that by this time, that MS OS far exceeds vulnerability numbers in any other OS available.
Well, yeah.. how many NEW operating systems are released every year? I don't even consider Vista to be 'new'. It's an updated rehash of XP. So, this statement is a complete misnomer. You need to count all of the XP vulnerabilities that also impact Vista. But, let's ignore this for a few..
Just strictly considering Vista as a 'new' operating system (ahem), how many people adopted it in the first month, six months or 1 year mark? Then, you'll realize exactly WHY it has fewer 'first year' vulnerabilities than any other 'modern' operating system. As far as I know, no other operating system considers a new x.0 release as a 'first year' release in the same way as Microsoft. But, comparing apples to apples, then you should consider the initial release of Fedora 8 and MacOS Leopard in the 'first year' category. As far as I know, Leopard and Fedora 8 should have less vulnerabilities than Microsoft.
Alternatively, this says one other thing about Microsoft. If it is, in fact, true that Microsoft has fewer 'first year' documented vulnerabilities than Linux and MacOS Leopard, that could mean that Microsoft is not doing enough to FIND these vulnerabilities where Linux and Apple developers are taking a proactive approach. Then, they fix these issues long before they turn into a vulnerability. So, this statement by Microsoft doesn't necessarily mean good things about Vista.
Further, what does the latter say about Vista, Microsoft and security? Not committed? Not proactive? Don't care about security? I would tend to believe that the Linux and Apple developers are more proactive and committed with regards to finding underlying OS vulnerabilities than Microsoft. This has certainly been true in the past and I continue to believe Microsoft doesn't actively search for bugs until someone ELSE finds them. Only then do they document and fix them. By then, someone has already written an exploit and has likely actively released a worm/trojan/virus to take advantage of it.
I'd take that Microsoft statement with a grain of salt.