It's not a high bar, just plain honesty. I remember a while ago someone was promoting a language called v, making many claims of which some turned out completely untrue. This might be a norm in commercial software - some people believe that you can't sell anything if you don't exaggerate - but the open source world in general prefers a more honest approach. Hence many projects always remaining at 0.x release, for example.
It is a high bar that makes OpenBSD in security-sensitive roles way more appealing than a distribution with a lower bar. That high bar paid for itself repeatedly when I ran OpenBSD in the late 90s and early 2000s.
That's true, but not for the ports collection. There's all sorts of software there with historically bad track records in security. That's the point...it's just ports of a bunch of popular software.