[bri3d]

I agree with this. I also agree that there's no preferable situation. Apple have done a great job building mitigations and it shows in how difficult, expensive, and rare it is to fully exploit their platforms. I certainly wasn't intending to form a counter-argument that public exploits existing would be a positive signal, or that there's a preferable alternative situation.

My only point was that "anything public is dead is what you want to see" is not a particularly useful rubric in general. I get nervous when I see statements that suggest an absence of public exploit material or high "bid" price for grey market exploits as evidence that a platform is less vulnerable. My experience suggests this isn't really how the market works in general. There are way too many additional factors that affect both pricing and publication to use "public exploit availability" or "grey-market bid price" as a signal about a platform's security posture overall.

Anyway, reading back, I realize that you specifically weren't trying to draw that conclusion, but sibling comments are now - and it seems to be a really easy trap to fall into. See: every "security journalism" outlet every time a broker posts an Android bid that's higher than their standing iOS bid, or vendors and OEMs claiming their devices are secure because no public exploits exist.