I wonder what would happen if you did a similar study of Moodle.
I do find it interesting to see that the report mentions BB8 with SP6 - I'm hoping it was written before SP7 was released - if not - then it's a bit like doing a report on Moodle 1.9.8 and listing all the known Security issues. If it is the reason SP7 was released - then great!
I've seen similar reports on Moodle - Moodle core usually comes out pretty good although security report writers often get confused over the Moodle var "sesskey" - thinking it is actually the PHP session. Most security reports that I've seen like this find issues with 3rd party modules/code that need to be addressed and occasionally some weird edge case security issues with core code (usually quick/easy to fix)
But... It would be relatively easy to write a similar report based on say Moodle 1.9.4 - and state "This is still a widely used version" - No matter how hard we try security issues will still sneak in, and it's probably a given that there are probably some CSRF/XSS issues in current stable code that no-one has discovered/noticed yet - all we can do is promote good coding guidelines and try to improve peer-review (the proposed new workflow for development when we move to git sounds like it could improve this a lot)
"Due to the use of single sign-on systems examination results can be modified or in the worst case a student can graduate effortlessly."
Now, if only they had been using Blackboard when I was at College I'm sure I could have "graduated effortlessly" !
On a more serious note, the whole 'single sign-on' philosophy does mean that 'the risk is bigger' of course (something that is not often discussed or even considered).