For whatever reason I needed some data on what the most vulnerable operating system was and instead I stumbled over some questionable use of statistics. At least in my opinion.
I figured that a good way to find statistics was using the CVE data as the base. Good for me I was not the first to think this. So looking at the data in the table we see that for example windows is fairly far down the list. However looking at the bar graph at the bottom Microsoft is second. That is weird...
Turns out that while the table data is distinct vulnerabilities by product, the bar graph is just using the data from the table and grouping by vendor. A few random checks reveal that the vulnerabilities for windows 8 and windows rt 8.1 are almost identical. Same thing for Redhat.
I don't know what you think but in my opinion, counting the same vulnerability several times because it affects different versions of some software seems wrong. I'm gonna assume this is an honest mistake rather than an attempt to skew the data in a certain direction.