(in the footnote, on page 3 of the PDF) by saying:

¹ "Is Linux More Secure Than Windows" by Laura Koetzle, Forrester Research, covers some of the issues outlined in this paper well.

(Emphasis mine.) This report was debunked by the distros themselves, whose executive summary went like this:

GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?". Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities as equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed.

The Forrester report may have covered an issue (namely, "number of vulnerabilities in a time frame"), yes. However, that is not what either report was advertised as covering (overall security).

The actual data given by Forrester included "the average time for [what we classify as] critical vulnerabilities to be fixed". At first glance this looks like a good thing to be measuring. But it's not -- one issue is that Forrester classified the vulnerabilities themselves, and not all remote holes are automatically at the "extremely critical" rating (which is basically where Forrester put them, IIRC).

To be fair, this report did note some (not all!) of the shortcomings of the Forrester one. But when they talk in such glowing terms about such a flawed study when they first mention it, I start to wonder.

Also, how much different would this group's results have been if they'd chosen Perl instead of PHP? What about Python?