According to a compilation by CVE Details, the software products with the most distinct, publicly-disclosed and fixed vulnerabilities in 2015 were, in order, Mac OS X, iOS, Flash, Adobe Air and Air SDK. Mac OS X led with 384, with iOS following close behind with 375. Android had 130, while Windows had approximately 150.
Last year the top five were Internet Explorer, Mac OS X, Linux Kernel, Chrome and iOS. Android didn’t make the top 50.
The method by which CVE Details presents the results may cause some confusion and debate. For example, while only one entry is dedicated to OS X, Windows is separated by each major version as a distinct product. Because separate Windows versions often have the same vulnerability in common, as shown by the tight range from 135 to 155 across all versions, it can be assumed that the range is somewhat indicative of the number of security flaws reported and fixed in Windows in general.
The database ranking of the top 50 does not weigh the severity of each reported and fixed vulnerability, only the total number of distinct security flaws that were publicly reported.
Viewing the same data by vendor (shown below), however, gives an interesting perspective. It would appear that the top offender is Microsoft with 1561 total distinct publicly-reported vulnerabilities across all its products, adding all security flaws for Internet Explorer, Windows and other software. But this counts many of the same fixed flaws across all modern versions of Windows eight times, providing a somewhat skewed view. In addition, Windows Server 2003 appears to be listed twice by the government source.
A healthy dose of critical thinking is in order because Apple and Microsoft have complex operating systems to build and maintain, compared to a vendor who only publishes applications and development kits, and accordingly would be expected to have higher overall numbers. For example, Adobe continues its reputation for vulnerabilities across its products, including Flash, Air and Acrobat.