Researchers at Sourcefire have analysed 25 years of vulnerabilities that were reported to CVE and NVD databases and found some interesting results.
According to the report (lead author Yves Younan, Senior Research Engineer at Sourcefire):
We leveraged two well-respected data sources for our research. First, our classifications of vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) database which is used today as an international standard for vulnerability numbering or identification. The database provides 25 years of information on vulnerabilities to assess, spanning 1988 to current.
rest here