There's another issue too which is that these codebases are all millions of lines long and very old. One of the most important steps to take towards reducing vulnerabilities in production code is taking the very expensive step of gearing the entire company ethos towards good quality, secure, well written code, and making sure that all code is carefully reviewed by another developer before being committed. Carefully is the keyword here - just having another developer glance over it is no good, there has got to be support from the management to take the time to make a careful assessment of the code, not review as quickly as possible.
The impression I get is that Microsoft - along with many other companies - does have this attitude. Adobe and Oracle may well do so too. However, an awful lot of these vulnerabilities are being discovered in old code, not the new code which has only recently been written. All of the current generation Windows OS and other products have had their codebases started whilst Microsoft was a modern, massive, and rich company which would have been able to afford to take these steps. By contrast, Flash and Java have a much longer history, going back through many years and several companies. Even if standards today are fantastic, it's likely that they're still fighting fires from vulnerabilities written into the code long ago by a much smaller former company which simply couldn't afford to take the precaution which Microsoft does today.