There is something to Linus' stance, because the same problem has historically been shown in Linux. A lot of fanbois who were trying to say Linux is so much more secure than Windows even after Microsoft did some in-house practices clean up before the run-up to Vista. The point is, Linux isn't any more secure than Windows, and in some ways it's considerably less secure in practice than Windows against certain kinds of attacks (and vice versa) once hackers started prying into its guts and standard practices. Neither is more or less secure than the other as a general across-the-board rule. Likewise, OpenBSD gets a lot of fanboism about being "the most secure"... but the problem with that is the same problem Linux had in the 00's. Few people are really looking and a lot of mythology has grown up around that religious fervor. The OpenBSD developers have rarely had to properly defend their decisions against the kind of security research and determined hacker regularly poking and prodding at Windows, MacOS, Linux and to a lesser degree FreeBSD. That's undoubtedly lead to some features that aren't well thought out, unnecessarily complex or performance limiting, or outright broken while the lack of some features can cause artificial degradation in hardware lifetime or performance for merely theoretical or nebulous/unquantified returns. One can applaud the intent without agreeing with the implementations.

Ultimately, the problem with OpenBSD is the same one that hangs over all the BSDs, Linux, Windows, and every other legacy OS. Their security paradigms originate in a time where the only problem to be solved was how to keep local mostly competent and mutually respectful users from accidentally tripping over each other. The Internet didn't exist. All users were generally well educated and trained to use the hardware their organizations owned and access was restricted via having to be physically present at a terminal. When personal computers and terminals came along, damage was still usually limited to single machines or accounts.

They're all inadequate in a threat environment where you can't trust even the actions of otherwise competent users (it only takes one screwup - and believing that competent users never screw up is just plain willfully stupid) let alone Suzy Secretary who can barely turn the computer on and panics when an icon disappears on her DE, or much less the hostile world at large on the other side of the departmental firewall.