Cisco continuously blows my mind.

Did you mean to include the Juniper CVE's? In my experience, all vendors are constantly remediating CVE's. I wonder if Cisco has the most vulnerabilities discovered because they also have the most users, largest product offering, highest inventory, etc?

I've had a hell of a time patching Palo Alto's and Fortigates, too. Critical CVEs, day-one RCE attacks. It seems more profitable to rush out new code / new products, and just address vulns as they appear, rather than spending extra development time hardening the software.