I count about 24 vulnerabilities fixed, counting each line involving a vulnerability in the changelog as a separate vulnerability (even if multiple things were fixed at once in the same file, see: netlink). I also counted some of the infoleaks that weren't worthy of CVEs in 2.6. At least half of the vulnerabilities were information leaks.
Most of these vulnerabilities were also present in 2.6 kernel (and deemed important enough to check how far the vulns went back so that they could be backported). So it too is a biased dataset, but it's also a much more stable codebase that avoids all the issues introduced in 2.6.
It's not possible to run a 2.4 kernel with any modern distro I'm aware of (you'll get a "kernel too old" death on boot, even for running old 2.6 kernels). I imagine it would have to be some custom supported/maintained distro. The users would have to be updating their userland as well if they wanted to match their security intent in upgrading to newer versions of 2.4 kernels, so it's unclear who would be bothering to do that and how they're doing it.