Microsoft released its Security Intelligence Report. Be sure to read it carefully before taking any of the stats as hard fact.

For example, the company said that "In the second half of 2008, Microsoft analyzed a sample of data obtained from customer-reported incidents, submissions of malicious code and Microsoft Windows error reports. The results included the following: For browser-based attacks on Microsoft Windows XP-based machines, Microsoft vulnerabilities accounted for 40.9 percent of the total, down from 42 percent in the first half of 2008. The proportion of Microsoft vulnerabilities on Windows Vista-based machines accounted for just 5.5 percent of the total, while third-party vulnerabilities made up 94.5 percent of total vulnerabilities exploited. Windows XP and Windows Vista were the only operating systems involved in the comparison."

If you didn't read that carefully you might have missed an appropriate interpretation of the phrase "sample of data" which of course we must take to mean "a piece" - e.g. not the entire set of data. So which piece was it, and how was it selected?

As I've said before, these kinds of reports primarily serve the vendor who issues them. If security companies really wanted to publish helpful statistics that reflect the broadest possible view of trends then the companies who collect such data would pool all their data and statistics together and issue a combined report.

Don't hold your breath waiting for that to happen. Nevertheless if you're interested in reading the latest report from Microsoft, it's located here.