I'd argue that the Flash security argument is just a regurgitation of headlines people are reading. Every prolific web technology has a large number of CVE's.
Yes, they do. The problem is that Flash adds a layer of risk and the associated costs of risk management onto the web stack.
Adobe does not bear the cost of maintaining flash integrations, and doesn't bear the cost of the liability for shipping these vulnerabilities. If a user gets hosed because of Flash in Internet Explorer, Firefox, or Chrome, they blame their browser.
This externalization of the costs of securing the product, coupled with externalizing the cost of maintaining browser integrations means that it is harder to build a secure browser.
Flash needs to die, and with a very narrow subset of functionalities, it is no longer needed. Best to let it go so that we can have one less vulnerable client downloading and executing untrusted on our computers.