They switched to "heck of a long time" because they had that blurb of text since the 90s. So we're talking about 2 holes in about 25 years.

Though I think I heard some criticism of what counts and what does not for that tally, maybe 20 years ago.

The project was fairly innovative of including now-standard practices like having the daemon drop its privileges.

Iirc the criticism was that the default install has no services enabled basically.

Yeah, people in the 90s really loved installing redhat 4 (not rhel 4, the old versions) and getting a vulnerable pop2/pop3/imapd running by default after installs. You would get hacked within the hour if not behind firewalls.

Very unfair of OpenBSD (and other security conscious OSes) to not compete on equal terms there.