Okay. You could see it that way. Or you could read what the author wrote about who is to blame:

> No one person or team really made a mistake here, but with the benefit of hindsight it's clear the attackers perceived that the left hand of Debian/Fedora SSH did not know what the right hand of xz-utils was doing.

with OpenBSD not even being mentioned here