I understand their reasoning, of course, because there's such a thing as principles and I can respect that. Still, how many of their users stay on 1.3 because of those same principles? How many just go and compile their own (un-secured) version of Apache 2.x instead?
OpenBSD has two major driving philosophies that I'm aware of - freedom of code and security of code - but in this case I have to wonder which one is more important. Is it more important to be as free as possible, even knowing that most (competent) admins will replace the secured Apache 1.3 with the non-OpenBSD-secured 2.2? Or should OpenBSD relent and include a secured Apache 2.2 in the default install, even though it's not as free as they would like, despite still being arguably 'free'.
As a pragmatist, I'd much rather have a secured 'slightly less free' OpenBSD install vs. a 'less secured' 'slightly less free' OpenBSD install. Maybe that's just me though.
Anyway, Apache 2.x is in ports nowadays; it hasn't been patched for security to the extent that the system Apache has been, but it's not a compile-your-own scenario.
The smaller codebase may be easier to secure, but the OBSD folks had problems with Apache's version 2 license changes, which they characterized as "less free".
I've never understood why low cost router and firewall software has tended to use Linux rather than OpenBSD or NetBSD, which has by and large pulled the security advantages from OpenBSD.
I tend to use it for basic services (firewall, dns, e-mail) that I want to start with a decently secured base. It is actually pretty quick to install a server if you keep decent track of the config files and keep the ports handy.
Interesting that they are still on 1.3 rather than 2.2. I guess its easier to secure with smaller/older codebase.
edit: Kinda sad that they have given up commentaries with their songs. Still awesome for having the songs anyways.