http://blogs.zdnet.com/security/?p=2304
From all of the negative stuff I have heard about IE lately, I was surprised to see the fan favorite on the top of this list.
The only MS product is #12, Windows Live Messenger.
Even though I use IE, I’m surprised it’s not on the list considering all the problems it’s had this year.
Let me see … a guy who sounds very plausible, works for Kaspersky must be authoritative mustn’t he?
Did you read the Bit9 PDF report rather than the lazy and totally uncritical analysis in reporting of it by this so-called expert?
If you read criteria 5 and 6 in the report how can any thinking person be surprised that so few Microsoft components appear? For any Microsoft component to appear with these criteria must mean it is just about a disaster.
It contains no consideration of time to fix. It seems to ignore that a number of the products do contain (by default) reminders to the user to update. It seems to assume that no Microsoft users turn off Automatic updates. (You only have to live in this forum at all to be aware that many XP users are still resisting going to SP3 - though Heaven alone knows why).
As for centralized administration - just how many major enterprises do you think are deploying Firefox? Pretty much guarantees that a mainly home user product will fail on the criteria chosen.
I hope that this Kaspersky employee does not give up or lose his day job … he isn’t going to make a living with this quality of reporting in the real world.
There is the odd comment made at ZDNet that actually adds a little enlightenment:
33. Read the .pdf and you'll see why IE Is missingDutchie027 - 12/16/08
For those of you quick to criticise microsoft, the vulnerability report states that the application requires end user patching and is not automated…IE can be patched by Windows Update/WSUS whereas Firefox’s vulnerabilities that put it in to this list required manual intervention and were not part of its auto update system.
READ THE REPORT before you open your gob.
This report is only relevant for network administrators, for whom WSUS leaves Firefox dead in the water after an update.
One assumes that any network administrator who has installed Firefox on their network will also have set up some method of institutional deployment.
Unsurprisingly, Mozilla also has an opinion:
Maybe IE problems are measured by special metrics, like Mozilla once said: 
http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/
I think that the ZDNet post is pretty much in tune with my (rather more tactful) comments. (Later edit) as is the Mozilla post (thanks for the link to TheSpirit).
Nevertheless, what we see is folks believing the the lazy blogging of this Bit9 report without reading the original source and a total lack of any critical though to the way in which the Bit9 report was created.
It beggars belief to me that we are developing an audience that simply believes everything they read that comes across their screens without checking the (clearly available) source material and then offers it as gospel to their interest group.
This is not exactly WMD in Iraq … this is something anyone can read and question.
This thing smells bad. Woody spotted the connection between Microsoft and Bit9.