A security expert compares Debian's security to that of Windows XP with partial security updates

The lead dev of GrapheneOS (praised by Snowden and Doresy) had some harsh things to say about the security of Linux and Debian in particular:

https://old.reddit.com/r/GrapheneOS/...droid/ekzo6c0/

Quote:

The Linux kernel is a security disaster, but so are the kernels in macOS / iOS and Windows, although they are moving towards changing. For example, iOS moved a lot of the network stack to userspace, among other things. The userspace Linux desktop software stack is far worse relative to the others. Security and privacy are such low priorities. It's really a complete joke and it's hard to even choose where to start in terms of explaining how bad it is. There's almost a complete disregard for sandboxing / privilege separation / permission models, exploit mitigations, memory safe languages (lots of cultural obsession with using memory unsafe C everywhere), etc. and there isn't even much effort put into finding and fixing the bugs. Look at something like Debian where software versions are totally frozen and only a tiny subset of security fixes receiving CVEs are backported, the deployment of even the legacy exploit mitigations from 2 decades ago is terrible and work on systems integration level security features like verified boot, full system MAC policies, etc. is near non-existent. That's what passes as secure though when it's the opposite. When people tell you that Debian is secure, it's like someone trying to claim that Windows XP with partial security updates (via their extended support) would be secure. It's just not based in any kind of reality with any actual reasoning / thought behind it.

Fair criticism, would you say?

Security issues aside, I quite like Debian. Is it true that only a fraction of CVEs actually get fixed in Debian Stable? I always assumed that they all get fixed.