Are you claiming that unpatched software is more secure than patched software?

He's claiming with the amount of features being added for every security bug fixed in an update a bunch more are added.

However that ignores the fact that publicly known exploits are more dangerous for the average user than zerodays.

It ignores a whole lot more than that. For instance, are we seriously going to pretend that the threat landscape in the Windows 98 and XP eras was anything like what it is today?

Well, I'm not. If he wants to daily drive Windows 98 because it had fewer documented RCE vulns, godspeed to him---and he probably will be more secure, just by virtue of good ol' security through obscurity---but that is not a reasonable solution for 99.999howevermanyninesyouwant% of computer users today.

The threat was arguably exponentially worse during the XP era - Windows boxes with a huge default attack surface were directly connected with public facing IPs to a 32-bit IP space that could be trivially brute-forced by worms. There's a reason we haven't seen anything as bad as Blaster in the past decade: NAT.

The rate of finding exploits and what the definition of a vulnerability is really what has changed - now the definition of is much broader while at the same time, exploitability has dropped off due to mitigation in modern operating systems, compilers and CPUs. Overall, we get far more exploits, but far less of significance.

Yes, it was not my intention to imply that those old operating systems were fundamentally more secure in some way. You're getting at it here: the space has broadened, and asserting that old software is more secure than new software based solely on documented RCE counts is laughable.