Agreed on CVEs being an imperfect measure, but they're presumably better than nothing, especially if all you want to do is identify trends.
But are you suggesting that 2.6 should switch to the 2.4 development model? Not the original 2.4 development model, the current one -- bug fixes only for years on end. Or... what?
I'm not trying to mock, it's a serious question -- you come in ranting plausibly about security issues being a problem, and how "we" should do something about that, but it's not at all clear to me what -- specifically -- would be better. (And it's a bit off putting that you seem to blame "us" for not doing... well, something...)
There are trade-offs. If a four-fold increase in security holes were really the price of 2.6's improvements compared to 2.4, that actually seems amazingly cheap -- though the real ratio is certainly much worse. How do we do better?