As for why the development model being a large reason for the problem, the easiest comparison (if we cover our eyes and assume the numerous vulnerabilities I've mentioned on this site and elsewhere for which there is no CVE don't exist, like the SELinux remote DoS), is to compare the numbers of CVEs for 2.4 against those for 2.6 for this year:
Yeah, unfortunately I think you'd have trouble convincing anyone that "number of CVE's" was a very useful statistic. (Unfortunate because it *would* be useful to be able to make those kinds of comparisons. I don't know what would be better. You could do audits of random samples of the code bases in question, but that sounds expensive. Statistics from the static analyzers and such might be better than nothing.)
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds