[comex]

All true, but I think the situation looks a little worse for centralization if instead of 'security features', you think in terms of 'vulnerabilities' (almost but not quite an antonym). Signal probably has a lower vulnerability rate than competing software, but if someone finds an implementation bug, it can be used against every user on the network. Compare to, say, IRC, where there are a lot of really poorly written clients, but the sheer number of clients in use would limit the fallout of any one exploit.

Likewise, Open Whisper Systems is pretty trustworthy, but if someone gets access to their servers, either by hacking or by coercion, and starts, say, logging metadata (who's chatting with who), all Signal users are compromised. When I chat on a private (and SSL-only) IRC server, the security guarantees are awful compared to Signal - and I'm not saying that's not a problem - but at least I know that my conversations will only be compromised if someone really has it out for my group in particular; they won't show up in some massive leak and/or government database.

This also applies to binary distribution. When software is compiled by N different distros or package managers or by users directly, that does make it hard to get security updates out in a timely manner. But with a centralized system like Signal's, if the binaries are compromised, everyone is pwned. Yes, measures like reproducible builds can reduce the risk, but they're far from perfect. Is there even anyone who verifies Signal builds on a regular basis/automatically?