This summary might be helpful. It relates to the "big four" OSs and covers the past decade
------
Over the past decade, significant security vulnerabilities have been identified across major operating systems, including Linux, Android, Windows, and macOS. Here's a summary of the key vulnerabilities reported by operating system and year:
Linux
2014-2015: The "Shellshock" vulnerability (CVE-2014-6271) was a major issue affecting Bash, allowing attackers to execute arbitrary code. The "GHOST" vulnerability (CVE-2015-0235) was another critical flaw allowing remote code execution.
2016: The "Dirty COW" vulnerability (CVE-2016-5195) was discovered, a privilege escalation bug that had existed in the kernel for nearly a decade.
2017: The "Stack Clash" vulnerability (CVE-2017-1000364) allowed local privilege escalation.
2018: "Spectre" and "Meltdown" (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) affected Linux, exploiting speculative execution in CPUs.
2019: The "SACK Panic" vulnerabilities (CVE-2019-11477, CVE-2019-11478) affected TCP networking, leading to denial-of-service attacks.
2020: The "BootHole" vulnerability (CVE-2020-10713) in GRUB2 bootloader could allow Secure Boot bypass.
2021: Multiple vulnerabilities in systemd (e.g., CVE-2021-33910) could lead to local privilege escalation.
2022: The "Dirty Pipe" vulnerability (CVE-2022-0847) allowed privilege escalation through the Linux kernel.
2023: Recent vulnerabilities (e.g., CVE-2023-3269) targeted the Linux Kernel's TCP stack, leading to potential remote code execution.
Android
2014-2015: The "Stagefright" vulnerability (CVE-2015-3824) affected media processing, allowing remote code execution via MMS.
2016: The "Quadrooter" vulnerability (CVE-2016-2503) involved four critical flaws in Qualcomm chips, affecting millions of devices.
2017: "BlueBorne" (CVE-2017-0781) affected Bluetooth, enabling unauthorized access to devices.
2018: The "KRACK" vulnerability (CVE-2017-13077) affected Wi-Fi WPA2, making Android devices susceptible to man-in-the-middle attacks.
2019: "Strandhogg" (CVE-2019-14023) allowed malicious apps to hijack permissions of legitimate apps.
2020: The "Strandhogg 2.0" (CVE-2020-0096) vulnerability further expanded the previous flaw’s scope, impacting almost all Android versions.
2021: The "BadAlloc" vulnerability (CVE-2021-22292) in Qualcomm chipsets allowed remote code execution.
2022: "Hermit" spyware vulnerabilities exposed security flaws in Android that enabled surveillance through malicious apps.
2023: The "SpyNote" Android Trojan highlighted new risks in unauthorized surveillance and data theft.
Windows
2014-2015: "CVE-2015-1701" was a privilege escalation vulnerability in Windows' user-mode subsystem.
2016: The "BadTunnel" vulnerability allowed remote attacks without user interaction. Microsoft also patched the "AtomBombing" technique (CVE-2016-7255) that allowed attackers to inject code into other processes.
2017: "EternalBlue" exploit (CVE-2017-0144) led to the widespread WannaCry ransomware attack.
2018: "Spectre" and "Meltdown" vulnerabilities also impacted Windows systems.
2019: "BlueKeep" (CVE-2019-0708), a critical RDP vulnerability, could allow remote code execution.
2020: The "SigRed" vulnerability (CVE-2020-1350) in DNS server could lead to a wormable remote code execution.
2021: The "PrintNightmare" vulnerability (CVE-2021-34527) allowed remote code execution through the print spooler service.
2022: Multiple vulnerabilities in Windows Defender and zero-day exploits like "Follina" (CVE-2022-30190) affected Office software and Windows.
2023: The "Acropalypse" vulnerability (CVE-2023-1685) compromised image cropping in Windows, potentially exposing sensitive data.
macOS
2014-2015: "Rootpipe" (CVE-2014-4453) was a privilege escalation vulnerability discovered in Yosemite.
2016: "CVE-2016-1757" and "CVE-2016-1825" involved privilege escalation and kernel vulnerabilities.
2017: The "High Sierra Root Bug" (CVE-2017-13872) allowed unauthorized root access.
2018: "CVE-2018-4237" and "CVE-2018-4280" addressed privilege escalation and kernel code execution.
2019: "CVE-2019-8781" was a kernel memory corruption issue leading to arbitrary code execution.
2020: The "Thunderbolt" vulnerability ("Thunderspy") exposed physical access risks to data.2021: "CVE-2021-30892" exploited a flaw in macOS' Gatekeeper, allowing malware to bypass security checks.
2022: "CVE-2022-22674" and "CVE-2022-22675" were zero-day vulnerabilities that Apple quickly patched in Monterey.
2023: Vulnerabilities in macOS Ventura (e.g., "CVE-2023-23529") continued to expose the OS to remote code execution and malware risks.
------
Of course we will all immediately feel the need to question what it says about our personal favourite OS. We would need a fuller analysis of the raw data to get the most complete picture.
To me it says that security holes are to be found in all OSs, and on the basis of that summary, no one OS stands out as being "orders of magnitude" better or worse than the others.
Anyway, with all caveats acknowledged, it might still be of interest.