The CVEs / Install Base ratio is a pretty silly metric for determining the security of a product. A large number of CVEs could tell you that the users and developers of a particular product care a lot (or are paranoid or are simply security minded) about security, and want to give notice of issues to as many people as possible.

This is a live issue in the Rust community, which does appear to care a great deal about security, as to how to deal with minor/theoretical vulnerabilities perhaps unworthy of a CVE.