Well, both actually.

Securityfocus has a story from Shadowserver data that says there are 1.2 million bot-infected PCs in the world. 1.2 million sure sounds like a big number, but it is only .15% (fifteen hundredths of a percent) of the estimated 800 million PCs on the ‘Net.

So, how would you decide whether this is siginificant or not? I would try to equate it to some type of threshold…. say, determining how much DoS damage they could do or what percent of spam messages they could send, etc…