To me, as a security/systems guy, I really couldn’t care less if this number goes up, down, stays the same, or disappears.

If Windows has 0 vulns in a year, will that cause my actions to change? I might have an extra beer and give a hurrah for Microsoft, but that means nothing about my risk tomorrow, or the day after that, of a single new vuln to arise.

What if Windows has 0 vulns for 5 years? That doesn’t eliminate mistakes or other such situations that my users, staff, or even myself might introduce into my environment. Again, little of my action will change.

If anything, my C-levels may eventually read such reports and lower my budget in response, which would (stupidly) change my behavior. But hey, that’s life.