@postmodern Wow, where do I start…
“does Firefox keep posting new advisories almost weekly or monthly” because this is their update schedule, and at such a large, continuously evolving codebase bugs are practically inevitable? Why are Linux or Windows (or Chrome, for that matter) pushing regular security updates? Why don’t they just write perfect software? Amateurs!
“Even Pwn2Own found a new 0day” - “Even” P2O, like y’know, a competition for world-class researchers? Oh btw. Chrome got pwned there too: https://www.bleepingcomputer.com/news/security/google-fixes-chrome-zero-days-exploited-at-pwn2own-2024/
“we should be seeing less not more vulnerabilities” - CVE counting has always been a bad metric because of massive selection bias (among other factors): you only know about published CVE’s, CVE’s don’t have a 1-1 relationship with bugs, CVE’s may relate to 3rd party code (see libwebp), etc. Jericho wrote a lot about this for sure, look it up!
Again, Chrome may be objectively better in terms of security, but your reasoning seems really badly informed.