Let's say I show up on this message board and say my house is more secure than a bank vault, because I have a special laser in my attic that vaporizes attackers if they come in my house. Would you believe me? Would you bother to even visit my house to prove me wrong? I mean, I can claim all I want that nobody has robbed my house, but at some point there is actually nothing of value here that means nobody has tried and nobody actually wants to try.

> Wouldn't a good systematic evaluation need (or at least benefit from) a few actual working exploits/PoCs?

Sure, see any of the previous exploits for sshd, or any other software shipped in the OpenBSD default install.

> I keep asking this as a long-time OpenBSD user who is genuinely interested in seeing it done, but so far everyone who has said "it's flawed" also reserved themselves the convenience of not having to prove their point in a practical sense.

The point is they have very little in the way of containing attackers and restricting what they can. Until pledge and unveil, almost all their focus in on eliminating bugs which hey, great, but let's have a little more in case you miss a bug and someone breaks in, eh?

An insecure dockerized webserver protected with SELinux is safer than Apache on a default OpenBSD install.