IEEE Security and Privacy, issue July/August 2007 (Vol. 5, No. 4), has interesting article Estimating Software Vulnerabilities (subscription required).
Any given piece of software has some number of publicly disclosed vulnerabilities at any moment, leaving the system exposed to potential attack. The author presents a method for identifying and analyzing these vulnerabilities using public data from easily accessible sources.