Most of the metrics, etc. are not new [1]. The two new things are:
1. Mudge has enough credibility that, at least for now, most security people trust his assessments.
2. He's willing to publicly assign grades, and take all the backlash and legal heat that entails.
Really it's the second one that will probably make the most difference here. If his organization manages to survive the first couple years without being sued into the ground, I expect it will have a big impact on the software world.
[1] From what I can tell from reading the article. They could certainly be doing more behind the scenes that didn't get reported.
1. Mudge has enough credibility that, at least for now, most security people trust his assessments.
2. He's willing to publicly assign grades, and take all the backlash and legal heat that entails.
Really it's the second one that will probably make the most difference here. If his organization manages to survive the first couple years without being sued into the ground, I expect it will have a big impact on the software world.
[1] From what I can tell from reading the article. They could certainly be doing more behind the scenes that didn't get reported.