Have you had a look at Symantec’s latest Threat Report? It can be found here: http://www.symantec.com/content/de/de/about/downloads/PressCenter/ISTRXII_Main.pdf
I briefly read through it and one statement caught my eye:
Page 54: Of the five operating systems tracked in the first six months of 2007 (figure 18), Microsoft had the shortest average patch development time at 18 days, based on a sample set of 38 patched vulnerabilities. Of the 38 vulnerabilities, two affected third-party applications. This is lower than the average patch development time of 23 days in the second half of 2006 based on a sample set of 50 vulnerabilities, seven of which affected third-party applications.
This is a very motivating data point as this is one of the different things we have to be good at – besides making sure that we can reduce the number of vulnerabilities through processes like the Security Development Lifecycle. We proved the impact of SDL already:
See Jeff Jones’ Windows Vista – 6 Month Vulnerability Report to get these details.