Not completely unexpected, but i'd like to see the same evaluation performed on other vendors, my guess is that the result would not be substantially different.<p>The "process" for handling vulnerabilities once they are discovered would probably be better, but i doubt the same would be true for the coding practices. These vendors have too many products and seldom each one goes its own way in regard to software.<p>See: <a href="https://news.ycombinator.com/item?id=19507225" rel="nofollow">https://news.ycombinator.com/item?id=19507225</a>