The issue of official binpatches is not a critical problem, but it is still a problem. It is a security and usability issue simply not present in the vast majority of nix systems, and that should be acknowledged rather than downplayed, as this facet of OpenBSD is usually an unpleasant surprise for potential converts.
Repeating "secure by default" seems rather disingenuous when a freshly-installed system needs extra attention, and cannot automatically fetch the latest security updates.
Updates may be "trivial" to you, but they are still clearly more complex than the average system, as they require individual attention and recompilation. These speedbumps to security are not what "secure by default" implies.
Alternatively, relying on a third-party tool (and having to vet that extra party) is not "secure by default" either.
Your final points are distracting from the issue and verging on ad-hominem. Firstly, first-party binpatches are so prevalent that noticing their absence is hardly significant scrutiny. Secondly, just because OpenBSD is very good in some areas doesn't mean we can ignore deficiencies in other areas.
OpenBSD does not try to be everything for every person and I think it's fair to put some things in context. Just because other systems provide binary patches for security issues (and I haven't so far named and will continue to not name other OSs, but many have a lousy track record of doing so to begin with), that does not make them automatically more secure than OpenBSD, which has so many active pro-security measurements built in from the start and where updates are provided, but not officially via binary patches. I think a lot of the comments did not acknowledge the circumstances and see the greater picture and my sense of a need for some further context was justified.
But your original comment was: "Does it seem a little embarrassing to anyone else that this is necessary? OpenBSD is supposedly the most secure nix platform available, and yet users have to resort to third-parties to get functionality that is available on nearly every other nix system by default."
So no, I don't consider it to be embarrassing for a little project that does so much in so many ways (part of it being that every single security issue is addressed and patched swiftly across multiple architectures, full disclosure is practised et cetera) to not provide binary patches while having an experienced community accepting of this. This last part actually what makes OpenBSD such an efficient catalyst for innovation, since people accept breaking backwards compatibility, turning on security mitigations while it might brake some stuff here and there, et cetera...
Repeating "secure by default" seems rather disingenuous when a freshly-installed system needs extra attention, and cannot automatically fetch the latest security updates.
Updates may be "trivial" to you, but they are still clearly more complex than the average system, as they require individual attention and recompilation. These speedbumps to security are not what "secure by default" implies.
Alternatively, relying on a third-party tool (and having to vet that extra party) is not "secure by default" either.
Your final points are distracting from the issue and verging on ad-hominem. Firstly, first-party binpatches are so prevalent that noticing their absence is hardly significant scrutiny. Secondly, just because OpenBSD is very good in some areas doesn't mean we can ignore deficiencies in other areas.