And OpenBSD advertises "two remote holes in the default install, in a heck of a long time". And they're pretty serious about audits. It happens. But like the other comment said, this is about supply chain attacks via automatically executing code from live urls and not human fallibility.

They did, and no one is perfect. But Debian is the best.

FWIW, the subject at hand here isn't accidentally introduced security bugs (which affect all software and aren't well treated by auditing and testing). It's deliberately malicious malware appearing as a dependency to legitimate software.

So the use case here isn't Heartbleed, it's something like the xz-utils trojan. I'll give you one guess as to who caught that.