The lesson to take from this hypothetical example is that counting vulnerability reports is as likely to lead you to the wrong conclusion as to the right conclusion. Find more information before making a decision. Think through the implications of any metric you have available.
Don’t buy the easy interpretation just because it’s easy.
Link: http://blogs.techrepublic.com.com/security/?p=472
