Well, my company funds itself by, amongst other things, going out and breaking web apps, and I'm going to assert without evidence that in both code quality and in environmental security (admin interfaces, etc), CF sites rank at the bottom, and .NET and J2EE sites are neck and neck at the top.
We're a Rails product shop and our dev team is recovery Lisp hippies, so that's not a BigCo bias, it's just the empirical observation.
I won't dispute your results, but those alone are insufficient evidence to suggest any correlation between languages and the ability to develop secure applications. It's a huge leap to say that ApplicationX, developed in Blub++, has more bugs than some completely different application developed in another language, therefore Blub++ is an insecure language.
More likely, the correlation is between security and a number of factors far from choice of language, such as developer experience, diversity of the development team, budget, etc.
Based on my own experience, I've seen that many CF developers are typically less experienced and work in smaller shops so those results aren't the least bit surprising. It's important to keep in mind that they say far more about the developers than the language the application was developed in.
We're a Rails product shop and our dev team is recovery Lisp hippies, so that's not a BigCo bias, it's just the empirical observation.