https://arstechnica.com/security/2016/09/linux-kernel-security-needs-fixing/ Based on the number of concurrent discovered bugs, at least a few. Statistical techniques won't work when it is only discovered bugs. https://en.wikipedia.org/wiki/Selection_bias But the fact that severe bugs are in a distro for over a year makes it irrelevant how many there is. A systematic effort to search for bugs and to anonymously create honeypots is needed. Arguably the best technique would be to reuse TOR directory server private keys as bitcoin addresses for a crowdsourced bug bounty effort.