That depends on the context.
How does one define "new code"? Something one just hacked and never did any static code analysis, code review, testing, etc. on? Well of course that new code is buggy.

How good / high is the barrier of validation / verification in order to accept proposed new code into the production tree? If it is pretty high NOW vs. was pretty low and unstructured BEFORE "ah it compiles and seemed to work the one time I ran it" then, yeah, I'd think a new code base REQUIRING strict static code analysis and warning checks and unit tests etc. etc. could have a LOT better ratio of bugs per line of code than some legacy code base that had none.

Also if the new code base adhered to principles like design by contract, orthogonality, encapsulation, range / validity verification pre / post conditions, etc. then it's probably quite likely one can write code that is highly probable to "do what it guarantees" correctly upon the first commit after test / review. Absent that then yeah the first invalid input may make the whole program output undefined behavior from then on.

Enforcing type safety, memory safety, ownership safety etc. obviously just tools in the tool box to make it harder to even WRITE and BUILD code that is incorrect
with the ultimate ideal being able to prove correctness and specification / contract compliance of a piece of code at which point you're probably just as likely to have
processor bugs as compiler / code bugs since in normal circumstances one has some good rationale to believe things will work as intended other than due to some subtle problem not so obvious in the code itself.

I do not recall asking a question.

Well, no. If you claim that rewrites have more bugs than "mature code" then you need to consider all examples. Not only there which prove your point. Otherwise it's just selecting data that prove your point and ignoring all data that say otherwise. I'd call this a lie.

Asking for a list of rewrites that went well would be absurdly subjective and is not real data.

However, people have been trying to write bug free software for decades and they have failed remarkably outside of a few formally verified cases. Software writing without formal methods is full of bugs. That is a fact.

He one doing cherry-picking here would be you. I have not only seen data on this, but also experienced this reality firsthand as a developer. You do not like my description of reality, so you look for an excuse to call it a lie.

Same for asking rewrites that went terribly wrong on stackoverflow...

But other projects, like bash, fish, coreutil, etc, can certainly rewrite without introducing new bugs by having a better design, taking advantage of other well-maintained libraries and have comprehensive testing to even reduce bugs compared to the old software.

I think the best way to prevent malware is to cut the internet connection.
So you put the ZFS backup system entire off-line and only connects to/turns on it when needed.
Also, since most malwares now comes with browser as you have mentioned, it's already significantly more secure without web browser.

Asking for a list of rewrites that went well would be absurdly subjective and is not real data. There is plenty of software that people use that is full of bugs. The fact that rewrites will be more buggy does not necessarily mean that a rewrite will not go well, as long as the bugs do not really matter very much.

I never suggested such a thing. I suggested posting there to ask fir the statistical data on old code being less bug prone than new code that I have seen, but cannot link. In specific, the data on Linux kernel security bugs by age would be a good thing to ask to get. That data is eye opening and I really suggest you ask on Stack Overflow for a link to it so you can see it yourself.

Well, no. If you claim that rewrites have more bugs than "mature code" then you need to consider all examples. Not only ones which prove your point. Otherwise it's just selecting data that prove your point and ignoring all data that say otherwise. I'd call this a lie.
[edit]
And there are security flaws that are much older than few years.
Eg.
https://nvd.nist.gov/vuln/detail/CVE-2021-27365 – in kernel which was discovered after ~15 years.
https://nvd.nist.gov/vuln/detail/CVE-2021-4034 – in polkit discovere after ~12 years.
And there is much more such bugs. And probably much much more which are waiting to be discovered.

There are significantly more CVEs in Linux because it keeps getting bigger and more complex.

4.x adds linux namespace, cgroup v1 and v2.
5.x add io-uring, pidfd, new clone3 syscall.
6.x adds more io-uring requests, more drivers, some refactor to memory subsystem, etc

It's hard to say that these CVEs are caused by the refactor and rewrite, when there are so many new features added and so many new drivers added.