But there's no room for complacency, warns a report by Qualys, as attacks are coming ever faster and 85% of the damage hits in the first 15 days of an outbreak.
Attacks have also shifted focus away from servers to the client-side, caused by people opening infected email attachments or visiting a malicious website.
So far, the threat from wireless applications is minimal, causing only one in nearly 20,000 critical vulnerabilities.
The Laws of Vulnerabilities research is based on work by Gerhard Eschelbeck, CTO and VP Engineering of Qualys who for more than three years analysed statistical vulnerability data.
The aim was to allow organisations to recognise evolving threats and compare their remediation efforts with the rest of the industry. This year, the "Laws of Vulnerabilities" was drawn from a statistical analysis of nearly 21 million critical vulnerabilities, collected from 32 million live network scans.