IBM Names Itself Worst Company For Fixing Critical Software Security Bugs
blogs.forbes.comAs Bill Belichick would say, it is what it is.
The question is why they don't patch the security holes??
A bug is classified as Critical based on how much access/damage the an attack could create, not based on how it would affect customers. It is possible to have a critical vulnerability that you can expect very few customers to see.