Security stats for D7 & 8

I’m getting a mind-boggling push at my firm, internally, to push to WordPress. The argument is that it’s more secure than Drupal and Drupal’s market share is dropping. 

Mind-boggling, because everything I find is counter to that argument. It’s such a strange thing, but they seem to have traction thanks to Drupalgeddon 2 as their arguing point. 

What I’m trying to figure out is where I can get good stats on breaches. I know many of the major sites, but there are discrepancies and I can’t pull numbers for a whole range of version. In other words, here: https://www.cvedetails.com/ … I can pull for Drupal 7. but not a single report for 7 through 7.58 unless I wanted to pull numerous individual versions. Tedious. 

And the main database, https://nvd.nist.gov/ , doesn’t have that ability either.

I need this because a regular report shows spikes in CVEs in 2009 and 2012. I need to counter those, as they will make people nervous. When I look at the “mean” of case severity, WordPress does have a lower severity number. I know this is probably due to quantity. But any help would be greatly appreciated. Aside from this, what would be good solid arguing points – with research to back up? I cannot use anecdotal comments, I need stats and proof that Drupal is the more secure choice.

Drupal version: 


Source: https://www.drupal.org/taxonomy/term/2/feed