So came across an interesting report today from various security folks (including Gunter Ollmann from ISS): http://www.techzoom.net/papers/browser_insecurity_iceberg_2008.pdf
I can appreciate what they are trying to do - and I believe they were probably trying to be as un-biased and scientific as they possibly could given the nebulous goal of the study but it was, unfortunately, full of fail (at least with respect to the IE results). What they seem to have done is combed the Google logs looking at the user-agent strings over a 1.5 year period to gather major + minor version information for the browsers they studied. The only problem? IE doesn't send minor version information, so there's no way to determine IE patch levels from the user-agent string. Oops.
So to compensate for that they:
For these simple facts - I really don't think it was wise to add IE to the mix . . . they should have (in my opinion) stuck to examining the Google logs - and stuck to examining the user-agent strings for browsers that report minor version information. Apples to Oranges comparisons aren't very good.