Yes, I'm familiar with this sort of junk-science "analysis" assembled by journalists or random tech companies counting stuff in a database and using it to form some kind of conclusion.
Side note: one of the dumbest articles I ever read was some lazy tech journalist trying to decide which Steam games were popular based entirely on the average total play time (in hours and minutes). He concluded that everybody hated "HL2: The Lost Coast" because the average play time was about 15 minutes, without bothering to check that The Lost Coast is actually a short tech demo that can be completed in a few minutes, so obviously people aren't going to rack up hundreds of hours playing it.
For example, consider these numbers:
So they count "Debian", which is an entire distro with thousands of packages, separately from "the Linux kernel" which is one component of a Linux system and already included in every other Linux distro. Does that mean the 2357 kernel vulnerabilities need to be subtracted from the 3067 Debian vulnerabilities, or have they already done that? Do the Debian vulnerabilities include only the kernel, core packages, or every package in the distribution (including Firefox, Thunderbird etc)? The article doesn't say, and the source data is not available since this is just a second-hand report of an "analysis" done by a random VPN company, not a proper scientific study.
In any case, comparing an entire Linux distro with just "Windows" isn't a valid comparison, because a Linux distro includes thousands of third-party packages. In order to make that a fair comparison you'd also need to include Microsoft Office and everything in the Microsoft store under the "Windows" heading.
I realise that everybody hated Windows 8, but I'm fairly sure that it didn't somehow magically vanish from history.
So they're potentially including a full 16 years of extra vulnerabilities to Debian, by ignoring all versions of Windows released before 2009? Yeah, I'm sure that makes absolutely no difference to the analysis.
No shit, Sherlock.
They got something right at least. Nobody should be complacent about security, since all modern operating systems and software are affected by vulnerabilities, and need to be kept up-to-date with security patches.