Of the 384 vulnerabilities, only 2 resulted in exploits, and those were on older versions of OS X, AFTER the vulnerabilities were published and AFTER Apple had pushed out the patches, since Apple was the one who revealed the vulnerabilities. The exploiters were opportunists who took advantage of people who did not bother to install updates.
Apple Exploited Vulnerabilities by year, 2015 had 2
These two:
Note they are both earlier versions of OS X.10 Yosemite, not OS X.11 El Capitan
The exploit is quire complicated on the first, requiring construction of a complete dictionary to replace a supplied dictionary and then somehow getting it installed on the target computer. Not an easy task. This exploit turns out to be a proof of concept sent to a security company. It was never in the lab.
The second "exploit" was another proof of concept, never released into the wild.
Both were never in the wild.
One has to REALLY stretch to put OS X and iOS at the top of any vulnerability list! As has already been posted, exploits have been rampant in several pieces of software, as well as operating systems - easily exploited that many apparently still are (with Flash being a massive security black hole of death) - and I still have to make regular visits to my Dad’s to disinfect their two Windows-based PC’s - neither browse porn or other nefarious sites. Yes, they occasionally fall for the “click here to install..” garbage (that can pop up even WITH anti-malware running). I’ve tried to overcome their proclivity, but I’m afraid the “old dog/new trick” adage is accurate in their case.
I suppose the report above also fails to differentiate between known and corrected “possible” holes and malware that is installed intentionally by even known software from the original/authorized sources.