I think that armitron's point is that Chrome gets exploited, like everybody else, despite being named in the article as the browser with the highest score. High score != "no vulnerabilities"
That may be the case (and the scores from Mudge methodology may be interpreted in such a way), but it is still a grey area, qualitative rather than quantitive, and it is perilous I feel to use them in such fashion.
After all what does "significantly more effort" mean? Yes there is raising the bar but do we know if _in practice_ those countermeasures make any sort of meaningful difference especially considering that a lot of the countermeasures can be defeated (ASLR -> information leaks, sandboxing -> hitting the kernel). Taking into account that the vast majority of cutting-edge offensive security research happens behind closed doors, the public has almost no visibility in this area.
If a South Korean teenager can break Google Chrome at his leisure, what about more resourceful adversaries that do not even have to be nation states?
Of course corporations like to talk exactly this kind of talk, raising the bar, "significantly more effort", better-than-the-rest and so on, since it lets them harbor the illusion that they're doing something but another way of looking at the data is this:
Google Chrome was first released in 2008. 8 years later, and it is _still_ remotely exploitable by solo individuals or small teams that release their exploits for not-a-lot-of-money. I'm singling out Chrome here because apparently it's the browser with the highest score in the OP report, but of course every other browser has the same issues.
Collectively, since the inception of the web, we have not had a browser that wasn't remotely exploitable. Can we do better? Judging from other critical software, it appears that we can.
Why haven't we??
Partly because the necessary processes haven't been there and I hope that the Mudge project will change that.
Let's move beyond smoke & mirrors to actual security.
This is why I think Servo is particularly exciting - while it's still a few years off being a practical browser, it should be immeasurably more secure than the existing crop of crufty C++ codebases. I think it (along with Rust) is by far the most important thing that Mozilla is working on.
I do not share your optimism re: Servo, partly because everything that has ever come out of Mozilla has been a disaster and I can't shed my prejudice, partly because Rust allows "unsafe" code (some feel this is all it takes) and partly because they've repeatedly said they'll keep using Spidermonkey (which is a security clusterfuck).
I would like to be proven wrong however, if not by them, then by others.
The payout ranges image on http://krebsonsecurity.com/2016/05/got-90000-a-windows-0-day... is somewhat quantitative. Chrome with sandbox exploit is 60% more valuable than the same for IE or Safari -- since Safari and IE are on the same tier, this is probably more due to difficulty of exploitation than due to user base.
