Counting CVEs is a trivially easy argument to debunk. It’s a topic well written about by many open source contributors and security researchers. It’s a topic discussed on here frequently too. And it’s a topic that common sense alone should be able to debunk, should one spend a few minutes thinking about it rationally.
However I have written a more in-depth reply about why counting CVEs is meaningless here:
