That's logical given it's part of the standard system. It's unfair to any vendor to lump vulnerabilities in all software onto the OS. It's also unfair to the users, giving too rosy a picture, to include only the kernel and core libraries.
The middle ground is better. It has IE exploits counting against Windows, Safari exploits against OS X. QuickTime should count against OS X, since it is the OS's player, but not against Windows, but WMP exploits should count there.
No it's not, if the vendor shipped it as part of their O/S "distribution", and the user is subsequently dependent on that O/S vendor for a compatible patch. Patches for what you want to call "3rd party" are only compatible if they come from the linux distro vendor, hence, it's a linux distro hole.