And OpenBSD advertises "two remote holes in the default install, in a heck of a long time". And they're pretty serious about audits. It happens. But like the other comment said, this is about supply chain attacks via automatically executing code from live urls and not human fallibility.