There hasn't been a pre-auth remote vulnerability in stock OpenSSH since 2002. It is not for lack of looking. OpenSSH is one of the hardest targets on the Internet: I trust my kernel less.
I've been enough in the SSH code to be somewhat terrified by it. The main server loop has so many nested macro conditionals it's exceptionally difficult to read precisely.
That said, fail2ban had an RCE in the last year, so if we're considering trustworthy surfaces, I definitely agree and practice that I trust openssh a whole lot more than a lot of other software that may come up in the discussion.
qmail has one of the most notoriously inscrutable codebases of all time, and it has a startlingly good track record, because there's a coherent security design behind it; the same --- to a greater extent! --- goes for OpenSSH.
There's a side of this that I agree with, however there's other sides.
The reason I've been in the code base a bunch is because I've taken on support of forks bootstrapped by others in various scenarios.
Design safety goes a fairly long way, but it's so easy to screw up patching code shaped this way. I might trust the core, but I don't trust external patches.
The problem in practice is, distros can't help themselves.