Below is my 2010 (but still relevant :-( ) response to the UK Government's statement on Microsoft Browser Security, from http://blog.ebrahim.org/2010/01/28/uk-government-says-no-evidence-ie-is-less-secure/
Clearly, the Home Office hasn’t examined the patch release model of Microsoft, in that they only release patches for vulnerabilities that are known to be being exploited, or are likely to become immediately exploited.
Many security researchers have has issues with Microsoft’s suggestion that releasing patches enables those without prior knowledge to determine the vulnerability, however this logic is flawed, as ‘spearfishing’ and similar limited-distribution attacks typically use vulnerabilities that are known, but without any publicly available patch.
In short, if a patch is published, attackers can engineer an exploit, however this is only after all auto-updating systems have been made immune. Systems that are not auto-updating will not receive the patch, but would also have not had many other patches – for which legacy exploits are widely available.
Conversely, other web browsers vendors produce patches much more often, and their browsers check for, and prompt for installation, patches at every startup and periodically afterwards – so unpatched versions are highly unusual.http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CFEQFjAG&url=http%3A%2F%2Fblog.ebrahim.org%2F2010%2F01%2F28%2Fuk-government-says-no-evidence-ie-is-less-secure%2F&ei=zxygUIOgH4rT0QWO8IC4CQ&usg=AFQjCNEVFf4RZonpbu_k3l9tYy55_s9KfA&cad=rja