> they deliberately disable every service by default and don't install any software beyond core.

Do you prefer that or everything (or most/many services) being enabled by default? It's a good practice and, for me, very practical - I don't need to find everything I'm not using and disable it.

Nobody is saying that their minimal default install is itself problematic.

But trumpeting your default install's safety record doesn't actually say much when the default install doesn't actually do anything. As soon as you add a package or a port you're beyond "default install" territory and their vaunted security reputation's coverage.

I think we agree except one point: IMHO the security of their default install is worth trumpeting: disabling by default is not a technical wonder, but it's good security that others don't do.