Nobody is saying that their minimal default install is itself problematic.
But trumpeting your default install's safety record doesn't actually say much when the default install doesn't actually do anything. As soon as you add a package or a port you're beyond "default install" territory and their vaunted security reputation's coverage.
I think we agree except one point: IMHO the security of their default install is worth trumpeting: disabling by default is not a technical wonder, but it's good security that others don't do.