Just counting kernel security patches will give the wrong numbers. The "kernel" includes device drivers for every imaginable hardware component you can possibly run Linux with. In any real server, the security exposure is a fraction of that. If AMD processors require a patch, my Intel boxes will be safe. If there is an exploitable bug in my 3COM NIC, my Broadcom ones will be fine. In any running Linux machine only a tiny fraction of the kernel codebase is active and running.
It's really like adding all the vulnerabilities in the Windows kernel to the vulnerabilities of every device driver ever shipped in a box or made available on the web for every conceivable device you can buy.
It's really like adding all the vulnerabilities in the Windows kernel to the vulnerabilities of every device driver ever shipped in a box or made available on the web for every conceivable device you can buy.