Patches and security metrics

Long time no security talk. This is meant just as a quickie, to jot some thoughts down while they’re in my head and before I take off to The Big Blue Room for a week or so.
I was listening to the most recent pauldotcom podcast, and something struck me about it. They’re not alone, but Twitchy spent a good 60 seconds at least decrying Macs for the number of patches they received in the last update.
Now, I’m not the smug Mac user that he / they hate, but it strikes me that it’s just as foolish to base one’s perception of the security of a product based on the number of patches it receives (security-related or otherwise) as it is to use any other single metric to judge anything else. For instance, judging worker performance by the number of request items closed is crazy. Judging a salesman’s performance based exclusively on number of products sold is showing a lack of poor judgement. (If you’re going to use a metric there, make it repeat customers. I know for real estate and vehicles that’s a bit less convenient, but if the customer’s not happy, it’s not a good sale just because you have their money. But I digress.)
All operating systems (and suites of software) have tons of exploits. Pick your poison. To quote a bofh who shall remain nameless here, “I’ve always taken the position that if you can’t find anything bad to say about a language or an operating system then you don’t understand it.” The key is – and in fairness, Twitchy touched on this – to understand just what you’re getting into when you run OS X or Linux or FreeBSD or Windows. I run all of those, every day, for different reasons. I have OSes that I prefer over others, and while it would be exaggerating to say that I literally hate them all, there really are things about each one that I can’t stand. (And they *all* have very annoying, smug, userbases, albeit FreeBSD’s is much smaller because there’s far fewer end-users of that than any of the others named.)
Besides, if you’re gonna go by the number of patches metric, I’m pretty sure if one were to count up all the patches for all the Linux applications (yeah yeah, Linux is just the kernel, but what the hell can you do with just a kernel?) in the last month, it’s a lot more than 50. So there. Hell, Firefox+Thunderbird alone must be approaching that. :-) In other words, I see your OS X 0-day driver vulnerability (that got somebody at ShmooCon 0wned), and raise you a 0-day Linux file privilege escalation vulnerability (that got a major Linux distribution’s build box compromised). Rationalize that how you will – “but the Linux one required local user privileges already” – but in the end, it’s still a major hole that affected a *lot* of people, and it’s far from the only one.
NO operating system is safe by the sheer virtue of its philosophy or designers or hardware or the majority (or minority) of the people using them or any other reason. By extension, no OS is unsafe simply because it has a lot of patches. I’ve used a lot of them in my time, and believe you me, every OS sucks. Appeal to authority? Maybe. I don’t care.