How would you modify your argument rather than dismiss the evidence against it?
For example, could you propose an equation using the number of CVEs and their severity along with the the rough number of known users, showing that some curve or values would indicate maturity rather than risk?
Some data for Flash[1] CVEs are available at CVE Details. Possibly you could find other products you consider safe and see how they compare.
I’d be curious if an analysis would show correlation of what you’d consider greater risk with a year that Adobe started outsourcing to a particular company or decided to EOL it; I’m not proposing that quality went down due to one of those things or that they outsourced, but analyzing the data could be useful.
You believe the security of systemd is strong, and that CVEs are a sign of use and maturity, then you’re saying ~2 CVEs per year on average is compatible with good security.
I understand you believe this, but I don’t see how it’s rational.
For example, could you propose an equation using the number of CVEs and their severity along with the the rough number of known users, showing that some curve or values would indicate maturity rather than risk?
Some data for Flash[1] CVEs are available at CVE Details. Possibly you could find other products you consider safe and see how they compare.
I’d be curious if an analysis would show correlation of what you’d consider greater risk with a year that Adobe started outsourcing to a particular company or decided to EOL it; I’m not proposing that quality went down due to one of those things or that they outsourced, but analyzing the data could be useful.
[1]- https://www.cvedetails.com/vulnerability-list/vendor_id-53/p...