While I do not keep track of such things, it is interesting that IBM software had quite a few vulnerabilities, probably since there is a lot of shared code between applications.
Only two Microsoft programs made the Top 20 list of core programs, which was dominated by IBM, with eight entries. Tivoli Endpoint Manager was Big Blue’s worst performer, with 258 vulnerabilities earning it 8th place. It was followed by Tivoli Storage Productivity Center (231), IBM Websphere Application Server (210), IBM Domino (177), IBM Lotus Notes (174), IBM Tivoli Composite Application Manager For Transactions (136), IBM Tivoli Application Dependency Discovery Manager (136), IBM Tivoli Application Dependency Discovery Manager (122), and IBM Websphere Portal (107).
The full list, including a table, can be found at the link.