91% could also pretty misleading because not all vulnerabilities are equal. It's easy to let 9 potential segfaults or memory corruption issues get disclosed if you get to hold on to the 1 iOS Zero Day/Shellshock type attack/etc...
You beat me to it, haha. I was going to make the point that the vast majority of bugs found don't do anything significant for a hacker. A program crash or corruption at worst. It wouldn't surprise me if NSA just discloses the ones that hurt availability while weaponizing the few hitting confidentiality or integrity.
