It's true though that Apple's record on patching security issues is not very good - they seem to have the mentality of a closed source company, not realizing that they ship an open source product, so they really don't have control over the disclosure schedule of vulnerabilities in (MIT Kerberos, OpenSSH, Apache, OpenSSL, OpenLDAP, Postfix, ClamAV, ...)
I recall about two years ago, the OpenSSH vulnerabilities came out - Linux and BSD distros all had the patches out in about two or three days, the closed source Unix vendors like IBM, Sun, HP, took more like a week or two (SCO took forever, but they don't count). And Apple didn't get a patch out for a month or more, by which time exploits were in the hands of the most useless of script kiddies.
One interesting thing in the report is the difference they make between "vendor confirmed" vulnerabilities in IE, and "vulnerabilities" in Firefox - Microsoft has patched numerous vulnerabilities in IE in the past year silently, without ever confirming them. So MSFT's dishonesty counts in their favour in this report.