And why they took all the history from 1999 (which was long ago and nothing to do with current state of the project)?
To show how things changed over time? What improves and what becomes patched crap impossible to maintain?
Like, why they chose debian kernel
They compared multiple OS, including Red Hat and others. Debian just turned out to be the worst.
Ah, I found the original article. they took all the packages from OS, that's how they counted number of vulnerabilities. Here are those 1k2 vulns in "debian":
https://www.cvedetails.com/vulnerability-list/vendor_id-23/year-2018/Debian.html . As you can see, they count every package in debian, which is noncense. Any other distro will be better just because they have less software (and may be more security features).
Also, it was for 2018. In 2019 the number of vulnerabilities is four times less. So, why in 2020 we take data from 2018 and not from 2019 to judge security of a product?
update: removed bold text, and made the post less offensive
. sorry friends, this topic triggered me.