[AlexErrant]

The original Keepass project has 11 CVEs. XC has 3, and has disputed all of them with e.g. "the vendor disputes this because memory-management constraints make this unavoidable in the current design and other realistic designs", etc.

[droidmonkey]

Additionally, the original KeePass project has no public development or public review process for their code. They do everything behind the scenes and only publish code when a release is made. KeePass is "code available" open source.