[tptacek]

Vulnerabilities in the CS products are manifestly less threatening than vulnerabilities in Flash. The interaction required to trigger the flaws is (usually) much more deliberate, and the installed base is much smaller. Also, outside of Acrobat Reader, it is much harder to construct a credible spear phishing campaign using CS5 document formats (your benefits statements aren't normally .AI files).

Flash and PDF were/are genuine frustrations for the industry, but not because Adobe was particularly irresponsible. Instead, the problems with PDF and Flash were (a) that they were large complicated C programs built at a time when secure programming wasn't widely understood and (b) they were installed everywhere, making them particularly juicy targets.