Counting Bugs
There's no perfect, 100% reliable way of comparing bugs across operating systems, especially in an environment where operating systems usually ship with bundled software that may have its own, separate quality issues. But let's start by looking just at the operating system itself:

We can avoid CERT's problem of counting the same bug more than once if we compare the security patch/update counts for one popular distribution and version of Linux to one popular version of Microsoft Windows. In this way, we won't have the Linux count skewed by the same bug cropping up in hundreds of other versions and distributions; or have the Windows count skewed by bugs in other Windows versions or software products from Microsoft.

To further refine the comparison, let's look at operating system versions that came to market at about the same date. This way, both operating systems would have a more or less equal time during which problems could come to light.

It turns out that Microsoft Windows XP and Red Hat Linux 7.2 were released within a few weeks of each other. Both are still current and are actively supported by their respective vendors. So, let's take a look, starting on each vendor's patch/update pages:

For Red Hat Linux 7.2, you go to the Red Hat "errata" page https://rhn.redhat.com/errata/ and from there to the page specific to version 7.2 https://rhn.redhat.com/errata/rh72-errata.html . There, you'll see that, to date, Red Hat has issued 151 patches and updates (mostly for security issues; that's what the "broken lock" icon means) for that Linux version. For a very crude sense of scale, that works out to an average of around 2.3 patches per week.

Next, let's do the same thing for XP Professional, starting on Microsoft's errata page, the "HotFix & Security Bulletin Service"; use the pull-down menu to isolate just the XP-related items. You'll see that the page lists 21 XP-specific patches and updates to date. That's an average 0.35 patches per week.

But wait: Maybe that's not a fair count. After all, XP is the newest Windows version, but RH 7.2 isn't the newest Linux version. Red Hat's newest version is actually version 8.0, so let's look at that. Its errata page lists 27 patches and bug fixes issued in the four months the operating system has been available, an average of around 1.6 patches per week, so far. That's a rate significantly less than Red Hat's 7.2's, but still more than XP's.

These numbers may surprise you because we've all seen a veritable blizzard of patches and updates issued from Redmond. But Microsoft currently has 157 software products under active support, and a typical PC may have not only a Microsoft operating system but also a Microsoft browser, mail program, media player, office suite, and more. In the aggregate, the total number of bugs and patches to keep up with for all this software is daunting. And some of the issues have indeed been severe. (For example, Outlook Express was for years the very worst security hole on most PCs.)

But, if it's unfair to lump all open source software together for bug-counting purposes, it's also unfair to do the same thing for all Microsoft software. (Otherwise, to get an accurate assessment for Linux systems, you'd have to include the bugs from open source browsers and all other normal system add-ins or add-ons, on top of Linux's own bugs.) Instead, to avoid an apples/oranges comparison, it's better to look at specific brands, types, and builds of products across similar amounts of time: That's the only accurate way to see how, say, operating systems compare, or browsers compare, or E-mail programs compare, and so on.

But what about the types or severity of bugs? In fact, I hear this a lot from Linux partisans, that Microsoft bugs are "worse" than Linux bugs. There's a lot of subjectivity in better or worse comparisons, of course. But as a quick example, here's a Red Hat Linux 7.2 bug as described on the Red Hat page:

A vulnerability has been found in the ptrace code of the kernel (ptrace is the part that lets program debuggers run) that could be abused by local users to gain root privileges.

Now here's an XP bug, as described on the Microsoft site:

Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation: A security issue has been identified that could allow an attacker to compromise a computer running Microsoft Windows and gain complete control over it.