[KirinDave]

This is a tricky argument you make because it's so asynmetrical. You can essentially cherry pick the worst opsec and the most dedicated attacker and then use it to discount an entire technique.

I will not play this "Use OpenBSD because it has a new technique that is fashionable" game that I know is being played.

Custom baremetal custon built VMs is not really in the business of distribution appliance images. That's Docker. Different use case. So what IS done is a workflow to rebuild these images when they change.

And that's often. Their HTTP routing table is literally baked into the image. They're not "reusable" for the most part.