when weston (which afaik is only wayland compositor that supports fbdev) is using a legacy, known-insecure, display driver (which is by far not the most common case, and if you are using fbdev you've already lost).. those are some pretty big caveats.

Yes, and I don't care. Are you aware of how many people actually take advantage of this?

is hard to tell, because is not trivial to detect it and even if detected the hacked party could simply choose to handle it under NDA or other legal instrument to protect stolen IP/agreements(this is quite common with goverments contractors) and since this is a won't fix since forever is not like it will make it to CNN everytime for you to know.

So the exact number could be in hands of big security firms analyst but not in the wind, beside nothing stop private security analyst to actually patch this themeselves downstream(for a hefty sum) since they aren't obligated to keep compliance to the protocol in any way as long as they patch the target client. I've seen this behaviour a lot with other cases too.

a security flaw can be a bug or implemented by design, but I would focus on how it is exploitable: shellshock, bash security flaw by design, is exploitable only on some servers, with no impact on the client side and once patched all is fixed; on the other hand ghost, glibc bug, is exploitable on any client or server and once patched all the programs must be recompiled
so it is definitively not an issue if a flaw was wrongly designed or wrongly written, it has to be fixed anyway!

You should also focus on how it is fixable, and you will understand and stop pissing off people.

A bug is a mistake, big or small, and in general it can be fixed with some swearing... I mean sweating behind a keyboard.

A design error is a HUGE mistake, and fixing it is non-trivial because half of your program was written to do X in the wrong way.

In many cases of design error you end up rewriting large portions of software.

This gets even worse when standards pour in, one of the reasons Xorg remained a horrible monster is that it has to provide FULL x11 protocol even if applications only use a tiny bit of it. It cannot just drop ancient crap none uses or do major changes to the API because it is branded as x11 protocol server.

To make an example, the "fix" for the design errors in Xorg/x11 is Weston/Wayland (and company). An entirely new system and protocol, that takes from Xorg only "learned lessons".
It's taking years and significant effort.

The same for the issue of fbdev driver you linked, which is an old crappy framebuffer driver, if none steps up to fix it though it will eventually get nuked and something better will replace it.

That got reverted a while back already.

well you wanted to hear about security issues and now you don't care :/ Troll somewhere else please.

A lot of people I know use indirect rendering to visualize data. If it goes off by default, it is highly possible some servers get updated with the feature off.

You could say it's the fault of the guy in charge of the server, but also some people use work computers at home with ssh, and use that to visualize data as well.
In that case they'll get the packages from ubuntu, or whatever, which would have the feature off. A lot of people aren't able to rebuild their own version of the Xserver to replace the package one.

I do somewhat understand the perspective here. Is Wayland over something like VNC or RDP not going to be good enough? If so, perhaps having an X12 might actually be worth it. Aside from the massive workload it would create on an already stretched thin community, I don't see why it would be ideal to make a protocol do something it's not meant to do, while X11 and Xorg need to be heavily revised in order to work in a secure and modern fashion.

The feature isn't getting compiled out, it's still there. They just have to restart X with the setting changed to enable it, no recompile necessary.

If you're using a feature like indirect rendering, you can figure that out.