Yes, they took a biased sample. But that's the thing about security: you cannot rely on the law of averages to help you. An attacker only needs to be lucky once. If Trustwave can cherry-pick three vulnerabilities which took a long time to fix, an attacker can do the same. So it is quite legitimate to criticize the state of security fixes based on one security hole left unpatched, even if there were a thousand others fixed promptly.