To the feature creep: that’s kind of the point. Why have a million little configs, when I could have one big one? Don’t answer that, it’s rhetorical. I get that there are use cases, but the average user doesn’t like having to tweak every component of the OS separately before getting to doom-scrolling.
And that feature creep and large-scale adoption inevitably has led to a wider attack surface with more targets, so ofc there will be more CVEs, which—by the way—is a terrible metric of relative security.
You know what has 0 CVEs? DVWA.
You know what has more CVEs and a higher level of privilege than systemd? The linux kernel.
And don’tme get started on how bughunters can abuse CVEs for a quick buck. Seriously: these people’s job is seeing how they can abuse systems to get unintended outcomes that benefit them, why would we expect CVEs to be special?
TL;DR: That point is akin to Trump’s argument that COVID testing was bad because it led to more active cases (implied: being discovered).
is it overengineering or just a push back against “make each program do one thing well,” and saying yeah but I have n things to do and I only need them done, well or not I just need them done and don’t want to dig through 20 files to do it…