Think Oracle's "Unbreakable" advertising implies it has the fewest vulnerabilties? Think again.
This graphic is an excerpt from "OracleEdisonResponse.docx". You can download the full document here:
http://download.microsoft.com/download/A/F/1/AF1CC0A9-05B0-46FB-ACE3-2E4B11F8D182/OracleEdisonResponse.docx. Here's the caption:
"As seen in the chart, Oracle database consistently has more security vulnerabilities than Microsoft SQL Server. In fact, Microsoft SQL Server has very low vulnerability from 2003 – 2009 as a direct result of our implementation of Trustworthy Computing Initiative (http://www.microsoft.com/mscorp/twc/default.mspx), which was started in 2002 by Microsoft Chairman, Bill Gates (http://www.microsoft.com/mscorp/execmail/2002/07-18twc.mspx). It is advised that real-world customers include security patching as part of the true cost of operating Oracle 11g and Microsoft SQL Server 2008."
Note that the source of this data is not Microsoft, but NIST, the National Institute of Standards, which plays a leading role in evaluating technology security issues for the U.S. Federal Government.