With 2016 officially over, we can crown Android as 2016's product with most vulnerabilities, and Oracle as the vendor with the most security bugs.
This statistic is based on the number of vulnerabilities reported by security researchers in the past year, bugs which have received a CVE identifier.
According to CVE Details, a website that aggregates historical data on security bugs that have received a CVE identifier, during 2016, security researchers have discovered and reported 523 security bugs in Google's Android OS, winner by far of this "award."
Second place in this ranking went to Debian Linux with 319 vulnerabilities, while third place went to Ubuntu Linux with 278 CVEs.
The rest of the top 10 is made up by Adobe Flash Player (266 bugs), openSUSE Leap (259 bugs), openSUSE (228 bugs), Adobe Acrobat DC (227 bugs), Adobe Acrobat Reader DC (227 bugs), Adobe Acrobat (224 bugs), and the Linux Kernel (216 bugs).