Secunia has found that the number of security bugs in the open source Red Hat Linux operating system and Firefox browsers far outstripped comparable products from Microsoft last year.
In a report released this week, Secunia also criticised CA for the quality of the code in its antivirus products, saying that "inherent" code problems are exposing CA products to ongoing security vulnerabilities.
On the other hand, "zero-day" security bugs in Firefox were patched more quickly than in Microsoft Internet Explorer, according to the Secunia 2007 Report, released this week.
In a review of the number of vulnerabilities found in enterprise antivirus vendors' products, Secunia found that CA was by far the leader, with 187 vulnerabilities, followed by Symantec with 73. Trend Micro (34), ClamAV (15), McAfee (13) and F-Secure (6) ranked lower on the list.
The high figures for Symantec and CA are partly due to their wide range of products, some of which cover areas other than antivirus, Secunia said.
However, the majority of the CA bugs were due to "inherent code problems with some CA products", Secunia said in the report.
Of particular concern is CA's range of ARCServe Backup products for laptops and desktops, which Secunia submitted to its Binary Analysis process after several bugs were reported and fixed. The bugs involved errors in processing particular arguments and requests.
The analysis found that about 60 reported bugs were still present in the supposedly patched versions.
What's more, the analysis found that the vulnerabilities were partly due to "the nature of the product code itself", Secunia said.
"Unless an overhaul of the code is undertaken, then the product remains susceptible to similar types of vulnerabilities," Secunia said.
However CA said in a statement that it has rigorous quality-control measures in place for its software and continues to improve those measures.