But you guys don't understand: security flaws that are willingly implemented by the NSA are not counted as vulnerabilities, but as "features" lolz...
Seriously though, there is no way to make a graph about this crap, because there is no way to even scratch the surface on the amount of vulnerabilities and bad code in closed source software.
iOS/OSX have a BSD legacy, which makes them probably way better in terms of coding quality in comparison to MS-Windows, but still, there is no way to really know how vulnerable they are.
GNU/Linux is completely open source, en yet there are still new vulnerabilities found and added on a monthly basis... yup, that's right, GNU/Linux is technically the most innovating and evolving out of all of them, because it spans much more platforms and much greater compatibility and functionality. In that ever changing code, there are bound to be bugs that lead to vulnerabilities, because that's just the way it is. Being open source though, these bugs can be tracked, and when they're found, they're fixed immediately. From Linux Kernel 4.0 on, there is even live kernel patching, that implements security fixes in the kernel's code in-session, without even having to restart the machine.
And that's the big difference between Linux and the rest: Linux accepts that bugs happen, and focuses on implementing mechanisms to minimize the damage and to optimize the patching, because everything is out in the open, nothing can be hidden, and every line of code has the name on it of the person that contributed that line of code. Commercial closed source platforms deny that there are problems as long as they can, they usually wait as long as they can before patching, and they try to block any and all communications about possible security or quality problems in their code. They don't have quality control to speak of, because their code is obfuscated anyway.
So if we accept that all code has bugs that can constitute vulnerabilities, and we even make abstraction of the fact that open source software, due to its open nature, has much less bugs per lines of code that obfuscated software, then lets' be real here for a second: look at the size of the code of a full featured GNU/Linux distro, then look at the size of the code of MS-Windows... then apply statistics and common sense... yup, there's your answer... just by the number of lines of code that supposedly just do the same thing, IF MS-Windows would reach the same coding quality standard as open source (which it definitely doesn't, not by a long shot!), THEN MS-Windows would already contain at least an order of magnitude more bugs than GNU/Linux, just by applying statistics.