If you look at vulnerability counts alone, Microsoft is improving in nearly every category over past years, and doing startlingly well in many highly exposed and frequently attacked applications.
But my arguing friend had his own counter to these numbers: "Vulnerability counts don't mean anything!"
The arguments against counting bug reports alone are many. First, many of the announced vulnerability releases contain more than just one bug. But as I noted earlier, when I do a direct comparison looking for each individual exploit hole, Microsoft compares even more favorably than it does on announcement numbers alone.
A second valid criticism is criticality. Who cares if your product has fewer exploits than a competitor's if your exploits are more dangerous? Certainly, remote exploits allowing complete control without any client-side action initiated are more of a concern than local privilege escalation attacks; I can't dispute that. But check any of the products I've mentioned above and you'll find all of them are rife with remote "complete control" exploits.
Another valid concern is how many of the announced exploits are patched versus unpatched. Vulnerability lists, as much as I like them, don't do a great job on verifying when various exploits have been patched. I find this out all the time because I use different exploits to break into what is supposed to be "unpatched" software but turns out to be already sealed up.
A fourth criticism is that announced vulnerabilities don't take into account all the exploit holes that get silently patched by the vendor without ever notifying a vulnerability list, or all the potential zero day exploits that could be out there. I don't feel this criticism is nearly as valid as the others. It's like saying that "Yes, Acme Airlines had 10 crashes this year, but you don't know how unsafe the other airlines – the ones that didn't have any crashes this year -- really are."
The ultimate truth is that unless you, or someone else, with good experience in security code review examines all the involved source code, you really don't know how secure something is or isn't.
But I don't think you should outright discount a viable metric, such as vulnerability counts, simply because the numbers don't support your side of the argument at the time.
By the way, you may be wondering about my sparring partner for this argument. It was a Microsoft code reviewer. Even though the vulnerability numbers are looking better and better for Microsoft every year, he doesn't believe in numeric counts. He feels that the best test of security for an OS or application is how well it performs in actual usage.
He said, "Suppose your application only has one vulnerability, but it is that bug that leads to an exploit that causes massive damage in your company. You don't care about numbers or metrics. You only know the vendor let you down. It's that fact that I go to work with each day."
Man, I can't win!