[phs318u]

Let's be clear on this. No matter how secure the operating system initially, if it stays unpatched then over time it will become more and more vulnerable as uncovered exploits go unfixed.

The reason a machine might go unpatched is because it might support some critical hardware (eg medical) for which there is only one or two vendors and only a particular combination of HW and SW are supported (eg due to a specific custom hardware driver).

To lay the blame for this at a single vendor's feet is naive.

[pier25]

True, but I'm sure there are a lot of cases where the OS wasn't updated because of the necessary investment to jump to a new Windows version.

[kijin]

There are very few free/open-source operating systems that get security patches for as long as Windows does.

Major versions of OpenBSD are only supported for 5-6 years. Most Linux distributions only get 3-5 years. Red Hat promises 10 years of support, the same as Windows 7/8/10. None comes close to the 13 years that Windows XP was supported for.

So you're gonna have to update anyway, at roughly the same interval if not more often, as if you had used an enterprise edition of Windows.

[microtonal]

Major versions of OpenBSD are only supported for 5-6 years.

I thought that security updates are only made for -current, the current stable release, and the previous stable release. So, 1 year of support, not 5-6.

A cursory look at the errata seems to confirm this.

[kijin]

Most of the time, upgrading from one minor version to the next is painless. If you installed OpenBSD 5.0, you are expected to keep updating all the way to 5.9. (For some reason, OpenBSD always makes exactly 9 minor versions for each major version.)

Most Linux distros don't even make any fuss about minor versions, using them only as an opportunity to build fresh installation images. New minor versions are security patches for the major version and all previous minor versions.