You've probably already read Brian Krebs article A Time to Patch III: Apple, but if you haven't, I encourage you to read it and read the various responses he received - the responses run the gamut of

  • Linux advocates ("You do understand that Mac OS X is not a version of Linux, and is not an open source OS in the usual sense of the word?"),
  • conspiracy theorists ("...This sounds much more like Microsoft propaganda..."),
  • open source advocates ("... finally pointing out that Apple is a company that's even more protective of its intellecual property than Microsoft ...")
  • existentialists ("... In fact, I have been using Macintoshes heavily since 1984 and I've never had a single security problem.")
  • allegoricists ("...Potentially, an envelope I lick to seal could have LSD on it.")
  • poor analogies ("...Over the years in a far away country, fires have increasingly ravaged ...")
  • better analogies ("...Imagine someone traveling to a small town and learning ...")

and many, many more.  Good reading and entertaining at the same time.  Brian even provides spreadsheets with his data and links to sources.

When I read this, I thought to myself "What if this article was about Microsoft?" - would the responses have been different?  "What if the article was about Linux?"  Sun?  Oracle?  I think it is clear from the emotional responses that the data matters less to some people than their belief system - and that's not good for security!

Here's the question I ask myself.  If I had one system that housed my critical business information (say customer credit cards) and I believed there were attackers who might target me to get that information, then wouldn't I want to know how many vulnerabilities there are and how long a vendor might leave them unpatched?  I would.  If I was basing a 5-10 year business decision in part on security criteria, I certainly would (among many other things...). 

Of course, I would also consider the threat of a virus and the threat of a targeted attack as two discrete risk issues and not muddle them together... but that's for another day.