Interesting (but not too surprising) figure, but overall disappointing lack of detail about the methodology and what was found. Many follow-up questions on what exactly they included and excluded, how vulnerabilities where counted, ... (especially automated audits tend to count any vulnerability related to a thing included, even if in codepaths or components that are never used, which is highly distorting)