As documented on https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Metrics,
- Security Bugs (number open by priority each month)
- Security Reviews (number open each month)
- Training (training by quarter with number of attendees)
- Incident Response (number of incidents by quarter)
Are being tracked. Actual number of security bugs open, and incident documentation is considered private to the organization, and is tracked privately.