Some relevant, interesting, material on counting CVEs:

https://plus.google.com/u/0/+JustinSchuh/posts/CNEgtJWYTb5

http://lcamtuf.blogspot.com/2010/05/vulnerability-databases-...

Good points there, will bear in mind in the future.

CVE counting is a poor proxy for actual security. A browser that does not sandbox its renderers or enforce a permissions model on its extensions cannot reasonably be considered secure in 2015.

> enforce a permissions model on its extensions

Why? Surely as with any software one should only install extensions that one trusts?

You trusted it, but you were wrong