“The software has to present a worthwhile target (ie have a substantial long term userbase) before anyone will bother to look for exploits”

MaraDNS is a worthwhile target; two people have been auditing it this year, in fact:

https://github.com/samboy/MaraDNS/pull/137

https://github.com/samboy/MaraDNS/security/advisories/GHSA-c...