Right... but then if the threat is remote access, the author would have to remove nonsense like systemd making your box insecure (racy init shellscripts being the pinnacle of security), and old platform support that you don't build in openssl being "abhorrent security practices".
Exactly this. If your threat model needs you to implement all of this then also use TEMPEST hardware to really lock things down. No use in hardening everything when an attacker can read your screen from a safe distance with some SDR-gear and a suitable antenna.
