Not completely unexpected, but i'd like to see the same evaluation performed on other vendors, my guess is that the result would not be substantially different.
The "process" for handling vulnerabilities once they are discovered would probably be better, but i doubt the same would be true for the coding practices. These vendors have too many products and seldom each one goes its own way in regard to software.
See: https://news.ycombinator.com/item?id=19507225
