>Or possibly because it has a good track record.

"Only two remote code execution vulns in the default install" isn't saying much, because the default install has essentially no functionality. Similarly, RCE is not the only kind of vuln.

Let's just say it is not the mainstream consensus that OpenBSD is meaningfully more secure than an up-to-date linux. This may have been true in 1995, but it's generally acknowledged by people who know what they're talking about that OpenBSD's reputation for security is overstated.