It's safer to only use vulnerability counts as a metric for how interesting software is to security researchers.