Your figures are way off by a lot Okie. Apple sells 12 million Macs in six months. And they sold 75 million iPhones in just one quarter of the last four! so you can add another 150 million to those iPhones in just the last year alone. But people don't just throw away Macs and iPhones after a year of use, Okie.
Try 100 million Macs and 1.2 Billion iOS devices in the wild, if which perhaps 800 million iPhones and iPads are vulnerable and 90% of the Macs might be vulnerable to this exploit IF they had AirDrop turned on, and IF they did not limit AirDrop to only trusted friends, and IF they had the malicious attacker's Apple Cert already installed. However, my off the cuff guesstimate of those who might meet those criteria, now that I consider it, was WAY TOO HIGH. . . especially when you add in the Apple Certificate. Now we are close to ZERO. The only way this researcher got HIS exploit to work was he had to install his certificate before it would install. Now we are looking at 99.99999999% of Mac users would NEVER run into this in the wild.
However, yes, they are a statistical non-entity when considering the overall picture since this is a LOCAL area exploit. First the stupid users who have their AirDrop wide open, would have to have set their Macs to BE vulnerable, then they have to have the malicious Cert on their device. . . and then they will, wonder of wonders, be within 30 meters of the very person who is the developer who was issued that certificate. Who happens to send them the attack. RIGHT, sure.
But the number of Macs ever hit by a one of the 67 known Trojans or exploit is always listed as fewer than 100 Macs in the wild.
The two times that Dr. Web, a Russian anti-virus publisher, claimed to have discovered a huge, MacBot constructed out of 640,000 infected Macs, and later a smaller 20,000 infected Macbot, both turned out to be HOAXES intended to sell Doctor Web's new Mac Anti-Virus products, first for its Business Mac A/V and then later for its Home version. Not a single infected Mac was ever found in the wild! Not one. Their claims of these massive MacBots were three day wonders, but as people checked the machines that Doctor Web claimed were "calling home" to the bot server and also being intercepted by their intercept honey pot, it was discovered that the UUID's of the Macs turned up non-infected computers, Computers that did not have the prerequisite Java installed on them which was required to even get infected, and, worse, more than half of the so-called infected Macs had neither been sold OR EVEN MANUFACTURED YET by Apple. What Doctor Web had was merely a list of UUIDs that had been generated that were in the series of UUIDs that were assigned to Apple for use in Macs. Two of the Macs in my office had UUIDs in the Honey Pot, but neither had ever had Java installed and one had never been connected to the Internet. So much for that hoax!