Thomas, I would love to get some insight on OS choice from someone so well respected in the security community, and maybe a short mention of why OpenBSD's security laurels may not be well deserved.
Some of the hype exceeds reality. I think the OpenBSD team at least tries to keep it level headed (but that's hard, everyone's biased in their own way), but the forum chatter version tends to eradicate subtlety. Second, what the operator does to a system matters at least as much as what they start with.
I don't know if it's what Thomas is referring to, but I ran OpenBSD in production for several years at a previous job. I found that, in practice, actually getting our platform to do what we wanted involved large amounts of ports (ie, outside the base system) to be installed. Sometimes, dozens of them. And this is where obviously your mileage will vary, because that depends what your servers are doing.
OpenBSD's incredible code quality quite obviously doesn't apply to the ports tree (and that's not their fault) but we quite often ran into less popular products and third party libraries where the ports were updated in the order of weeks later than things like RedHat RPM for the latest vulnerability.
At point I backported a hotfix myself, the requirement of which was not conducive to security.
Disclaimer: This was years ago, things may have changed.
The ports tree is obviously not audited by OpenBSD. The code comes from all over the net and the only thing OpenBSD does is enforce security mitigations/64bit time_t/arc4random/other coding practices in the base system, fix broken ports, send patches upstream and try to drag the whole open-source software community to better coding practices.