What you posted was supposedly the "Alltime" stats (from 1999 to 2021). First, the CVE site posts the following (
https://www.cvedetails.com/how-does-it-work.php ):
Warning: This site and all data are provided as is. It is not guaranteed that all information is accurate and complete. Some of the published vulnerabilities may be missing in our database. Use any information provided on this site at your own risk. By using this site you accept that you know that these data are provided as is and not guaranteed to be accurate, correct or complete. All content is provided as is.
and
Please Note: CVE data have inconsistencies which affect accuracy of data displayed on
www.cvedetails.com. For example a single product might have been defined with several different names. If a product is defined with different names in CVE data then they will be treated as different products by
www.cvedetails.com. For example vulnerabilities related to Oracle Database 10g might have been defined for products "Oracle Database", "Oracle Database10g", "Database10g", "Oracle 10g" and similar. Or a PHP vulnerability might have been defined for Fedora Linux 10, so number of vulnerabilities or statistics are only as accurate as CVE data. Please make sure that you manually verify all data before using. If you think that there inconsistencies or errors in data published by this site that do not exist in NVD vulnerability XML feeds, please contact admin @ [this domain].
So the wording "Distinct" doesn't mean much as implied by the above.
Second, that posting means nothing in terms of vulnerability. For one thing, the basic kernel itself is found in all the distros that run off it and a bug there gets propagated to all those distros that use it. Another example, Debian is the basic Linux distro upon which a number of other Linux distros build upon, so its not clear that a vulnerability in Ubuntu is the same vulnerability in Debian. I believe the Apple products are built on FreeBSD. The point is, there are only a small number that most of the various Linux distros build upon and any bug in the root distro (or kernel) can get propagated to those distros that build upon it.
Now if I take the data for 2020, the last complete year, I get a different picture (
https://www.cvedetails.com/top-50-products.php?year=2020 )
1 Android
2 Windows 10
3 Windows Server 2016
4 Windows Server 2019
5 Debian Linux
6 Windows Server 2012
7 Windows 8.1
8 Windows Rt 8.1
9 Fedora
10 Windows 7
11 Windows Server 2008
and I can make the same case here as I did for Linux - how many of those Windows versions had the same bug counted.
Each year can be checked back to 1999 (while Linux was still an anomaly and iPhones, iPads, etc. didn't exist). BTW, even though 2021 is shown, it provides the identical data as "Alltime". Also, what is being counted as a vulnerability? Is it a true vulnerability or a bug? I use both Windows and Linux (Mint). I get more "Security" fixes from Windows than I do from Linux Mint and many of those in Mint are in the the installed packages such as Firefox, Chrome, or some other package (which, BTW, may have been the same fix in the corresponding Windows version, if one exists).
