This is a question that often comes up during conversations between meetings of people who hold different views of which platform is best. When looking at any such vulnerability statistics I think it’s important to consider that a single vulnerability can take down a system / business / someone’s privacy hence viewing them in isolation is a fool’s game.
It’s a little bit like saying that one firewall’s better than it’s rival simply because it has a greater throughput – of course it’s vitally important to consider “what is the firewall actually inspecting? How well does it understand what normal traffic looks like for my network”” rather than “how much can it inspect in a given time period?”
Jeff Jones has posted a really interesting piece analysing the vulnerability counts for RedHat and Microsoft platforms.