I used to say there were only ... a few hundred (in the latter category). These are people who like to play with software and figure out how to find exploits into the software. That requires lots of good technical talent and knowing how to do software testing.
The fact is, you can get lost in the statistics, and I think a lot of people will be surprised by the Linux vulnerability numbers. But it's impossible to write perfectly secure software that's also functional.
These are not your average hackers. They're highly skilled people who try to find holes in commercial software.
You can get rid of all the ankle biters by using basic things, and people don't realize that,