I've always been impressed with Theo de Raadt and his OpenBSD team in this regard. Everything in the base OS is routinely audited and fixed quickly.

The link has a section named Audit Process, which is interesting.

https://www.openbsd.org/security.html