Assumptions:

• [A1] Schneier says: "They find, on average, one security flaw per 1,000 lines of code." Update: I can’t substantiate the number but if memory serves me, 1/1k is a common rule of thumb for all defects. Also, I think the numbers here are more likely – around 1/10k. I will use this number instead.
• [A2] Tippett says: "Only 3 percent of the vulnerabilities that are discovered are ever exploited."
• [A3] The National Vulnerability Database shows 29,360 vulnerabilities found, ever (I suppose).
• [A4] Spire Security (i.e. me) lists 20 total vulnerabilities discovered via exploit. (undercover exploits)
• [A5] Spire Security (yup, me again) estimates there are 3 trillion lines of code in the world, perhaps 240 billion "active" lines of code.

Calculations:

• [C6] 240,000,000,000 / 10,000 = 24 million vulnerabilities in existence. [A5]/[A1]
• [C7] 30k / 24m = .125% vulns found (that’s 99.875% of vulns undisclosed). [A3]/[C6]
• [C8] 30,000 * 3% = 900 vulnerabilities actively exploited (can this be right?) [A3]/[A2]
• [C9] 900:20 = 45 to 1 odds that an exploited vulnerability will come from the pool of known vulns. [C8]/[A4]

etc.

Update: I’ve had some feedback that suggests [A3] NVD numbers may be off by as much as a factor of 50 and that my list of 20 undercover exploits [A4] is "off by half" which I don’t understand but will use 100 to be on the safe side. Here are the calculations in that case ([A3] = 1,500,000; [A4]=100):

• [C6] 240,000,000,000 / 10,000 = 24 million vulnerabilities in existence. [A5]/[A1]
• [C7] 1.5m / 24m = 6.25% vulns found (that’s 93.75% of vulns undisclosed). [A3]/[C6]
• [C8] 1.5m * 3% = 45,000 vulnerabilities actively exploited [A3]/[A2]
• [C9] 45,000:100 = 450 to 1 odds that an exploited vulnerability will come from the pool of known vulns. [C8]/[A4]