> So we need those third party applications to start the party, yet none of > these applications receives the same code audit, security development and > quality control as OpenBSD does.
But unlike on other operating systems, those applications are ALWAYS compiled with PIE, and the stack protector is ALWAYS on, and the address space is ALWAYS heavily randomized, and libc and the base librares ALWAYS have various mitigations and other randomizations turned on. Approximately 100 mitigation components (large and small) add up, and apply to every single program run on such a machine in various ways (large and small). It is not zero sum.