Kristian Hermansen at Full Disclosure said that the report ignored "silently fixed" vulnerabilities that have been patched since Vista was released and Microsoft has not disclosed.
Instead the Volish report only dealt with publically announced bugs. Vista did have less of these and Linux, which announces almost everything had a higher number. However that did not make Linux less secure.
Hermansen listed a large number of bugs which Vista has not fixed but are the security community thinks are important.
Hermansen then goes through the Volish report and picks it to bits claiming that that the conclusions that were drawn were built on a lack of understanding by the Microsoft researcher. That is fighting talk.
More here. µ