It's just pure marketing, and most people are falling for it. The primary issue stems from their definition of "vulnerability". Most C code will be _swimming_ in vulnerabilities depending on how you analyze it (ie function that accepts a pointer but doesn't validate -> potential vulnerability right there). The only thing that matters is if it's de facto exploitable or not.