Andrew Storms, director of security operations at nCircle Security, put that into plainer words. "They were forced to," said Storms.

CVEs are used by security researchers to correlate and coordinate publicly-disclosed vulnerabilities, said Storms, and by others, including analysts, the media and security professionals within organizations, to gauge how often a product is patched and how the vendor deals with bugs.

"If a product has a large number of CVEs, there's more concern about those managing the development lifecycle of the product," said Storms.

But since CVEs are assigned differently by different vendors, it's tricky to use them to compare several products' security prowess simply by looking at the numbers, Arkin argued.

Google and Mozilla, for instance, assign CVEs for vulnerabilities discovered by internal developers, as does Apple on occasion. Microsoft, like Adobe, does not.