Google have been blasting holes in Flash and the Windows kernel for quite a while now, by virtue of having a huge number of machines performing effective fuzzing.
A couple of years ago, I listened to a Podcast on the general topic of malware, vulnerabilities and so forth (mainly malware and bot nets, though), and the guest speaker mentioned that apparently Microsoft, too, had set up a number of machines (I think he said something like a couple of hundred) to do nothing but fuzzing on a large body of Microsoft software (including, I guess, stuff like Office, Exchange, SQL Server, Internet Explorer / Edge, ...).
I do not know if this is true (but it makes sense), and I have no clue how many bugs were discovered that way. But I would not be surprised if Microsoft quietly fixed those. The descriptions of their patches are often... a little vague (from the point of view of a sysadmin, I am by no means a security expert).
"Since 2008, SAGE has been running 24/7 on an average of 100-plus machines/cores automatically fuzzing hundreds of applications in Microsoft security testing labs."
