In an e-mailed comment, an Oracle spokeswoman said the number of reported vulnerabilities in a product alone is not a measure of the overall security of that software.

"Products vary significantly in terms of richness of features and capabilities as well as number of versions and supported platforms," she said. "Measuring security is a very complex process, and customers must take a number of factors into consideration -- including use case scenarios, default configurations as well as vulnerability remediation and disclosure policies and practices."

Basing a product's security just on the number of vulnerabilities discovered and fixed may not be the best approach, said Pete Lindstrom, an analyst with Midvale, Utah-based Burton Group."Oracle apparently won an ugly contest," Lindstrom said. But "there's got to be other criteria other than known vulnerabilities" for measuring software security, he said.

Until then, "the jury should still be out on what's more or less secure," Lindstrom said.

The NGSS report comes at a time when security researchers, irked by what they consider to be Oracle's glacial pace of fixing bugs, are increasingly turning their attention to its products. In October, the company announced fixes for over 100 flaws as part of its scheduled quarterly security updates. Many of the flaws were reported to the company by outside researchers.