IBM Names Itself Worst Company For Fixing Critical Software Security Bugs (opens in new tab)

A bug is classified as Critical based on how much access/damage the an attack could create, not based on how it would affect customers. It is possible to have a critical vulnerability that you can expect very few customers to see.