Can you share source of this data? I have my doubts about the quality of the data, since OAuth2 is such a complex system with so many footguns.

In the end there is always some long lived secret. What changes is just where and how it is stored, secured and used.

I bet we can generalize to say that data shows that you will likely fail to properly secure any secret (including the ones used in OAuth2).

EDIT: An example: https://news.ycombinator.com/item?id=37973937