Fair point. The larger picture is that while the number of CVEs certainly matters, what matters most is that the maintainers of the software maintain a record of quick turn around on patches and a welcoming attitude toward security researchers.

IMO, Rails has done a better job of this recently, and that makes me really happy.