Windows has had a lot more named high-CVEs than that: MonikerLink, QueueJumper, Certifried, HiveNightmare...

As for "Linux", you'd need to specify the distro and environment, because Linux systems can be very different from one another. Your XZ example for instance didn't even affect most enterprise distros (like RHEL). regreSSHion didn't affect any musl libc distros like Alpine, but other systems would've also been unaffected had you set your LoginGraceTime to 0, which any sysadmin worth their salt would've done so. Leaky Vessels fails on SELinux enforcing distros (RHEL, Fedora etc) and sandboxed environments. I could go on, but you get the picture. Comparing the number of "Linux" vulnerabilities to Windows is completely pointless.