OpenSSH is a legitimately high bar, one of the hardest targets in all memory-unsafe software.

Curl is a high bar for a different reason (the same one as sudo): it doesn't do enough to be all that interesting. Stenberg is having trouble keeping up with all the inbounds, but look at the 2026 CVEs: they all seem kind of boring? Exploit developers aren't hunting for "wrong reuse of HTTP Negotiate connection". Like, yes, these are legitimate bugs, important that they get fixed, but none of them are prizes.

By rights, OpenSSH should be a smoking crater. It's not, I believe because of sheer engineering excellence.