Just in case, the link is a typical deliberate misinformation from MS marketing department ("get the facts", etc).
Just in case provide any proof this report has anything to do with Microsoft.
Or methodology of how vulnerabilities were counted.
I read the original article, I might got it wrong, so my apologies. It's still leaves a lot of questions to me. Like, why they chose debian kernel, and not redhat or oracle? I believe because it was easier to make up numbers they wanted. And why they took all the history from 1999 (which was long ago and nothing to do with current state of the project)?
Here is my two cents how I'd do it. I wouldn't even compare two OS, I'd compare two deployments that do a similar thing (say, a file server or a webserver). All setups should be hardened, otherwise it simply doesn't make sense for production (containers, virtualization, etc). I'd also count only vulns that are relevant to me. This way it gives a much better idea of real security, not paper security based on vague metrics.