Unfortunately not. Judging security is actually really hard! But CVSS is essentially a useless number in every sense, and number of CVEs is not directly useful because different OSes get different amounts of attention. My hobby OS is not infinitely more secure than Linux just because it has no CVEs, for example. On might thing that "mitigations" or "vendor approachability" could be used, but they are only part of the story and have their own problems: some software (not saying which…) is known to just glom on "mitigations" without abandon that don't actually help. And, while rarer, there are vendors who respond appropriately to bug reports but fail to ever actually meaningfully improve security.
Really, the best way to judge security is to ask security researchers: they break the software, they're at the forefront of what it takes to do this and what kinds of things the software is doing to keep them out. They'll tell you which things work and which don't, and how "serious" a vulnerability is (assuming it's not one they found, because they're not immune to bragging :P). In general, across the modern OSes, there is no "one" OS that is more security on every front. Windows has its own issues in subsystem X, Linux is broken in responding to Y, etc.
Really, the best way to judge security is to ask security researchers: they break the software, they're at the forefront of what it takes to do this and what kinds of things the software is doing to keep them out. They'll tell you which things work and which don't, and how "serious" a vulnerability is (assuming it's not one they found, because they're not immune to bragging :P). In general, across the modern OSes, there is no "one" OS that is more security on every front. Windows has its own issues in subsystem X, Linux is broken in responding to Y, etc.