I talked to Alex briefly at CanSec about your strategy. I appreciate the idea of setting a minimum bar, but it can start to sound like selling feel-good security. It's easy to say in hindsight "all you had to fix was these ten bugs and ignore the rest." The truth, however, is that you can't reliably predict that in advance. History has shown that even the low-end mass malware moves to more advanced techniques as targets become harder. And, of course, the strategy you're proposing does nothing for those at risk from targeted attacks (which is something I'm professionally seeing more and more of).
Actually, history does not show that low-end mass malware moves to more advanced techniques and you CAN predict the vulns they'll target in advance, as long as you're familiar with their motivations, capabilities, and incentives.
http://www.trailofbits.com/research/#eip
Again, show me an actual attack that has exploited Safari. Ever. Targeted, mass malware, I don't care. Apple has better shit to worry about and their investment in Seatbelt was worth 1000x more than individually fixing the limitless supply of bugs in Webkit. Problem solved, move to next actual issue.
You can scope the discussion to mass malware on desktop Safari, but that's just reductio ad absurdum. Any fortune 500 or government has to be concerned with real attacks, not just tamping down the noise floor. And as for Apple, they've historically been more interested in protecting their manufacturer subsidy by stopping iPhone jailbreaks--in which WebKit exploits against Safari have played a key role.
