In theory.

But real defenses are generally multi-layered. And in that context, a Swiss cheese slice with only one hole is still extremely valuable.

Well, that's where OpenBSD falls short, it lacks facilities to really enforce defense in depth - even NetBSD has some better features in this regard.

I don't think that's true? It runs most services as their own separate users, with pledge+unveil to limit what they can access even more. That's very much depth.