Whenever I see a study I look at who sponsored it.
Are you surprised it was sponsored by Microsoft?
I wrote such papers in a previous life and believe it or not Microsoft will not let these things go out if they think the conclusions go too far.
But it's so easy to make numbers tell the story you want to hear. Check out the methodology, then ask:
- Define a security vulnerability. Are they all equal?
- Define days of risk. This study claims it's the time between public disclosure and an available fix. If I keep a risk to myself is it not a risk?
Mark Cox of RedHat is offering his own data sets and scripts to let you test the Sisecure conclusions against your own systems.
So, is this FUD, or is this factual? What's the security record at your shop? Let us know in TalkBack.