OpenBSD wouldn't say anything like that. They're well aware of the 40+ year old codebase's limitations, but accept it because they're not so stupid as to "rewrite it in <other language>" which will bring a million bugs.
They've innovated again and again in the security space and aggressively bring in new security features like pf, OpenSSH, W^X enforcement, pledge(), arc4random(), ASLR, so many other things.
Unlike, say, NPM, which can't even replicate existing packaging systems like yum or apt, and has been plagued with security flaws despite being built entirely out of a memory-safe language. Quite an achievement.
> aggressively bring in new security features like pf, OpenSSH, W^X enforcement, pledge(), arc4random(), ASLR, so many other things.
I'd say OpenSSH is a great tool, arc4random was great and pledge is interesting although doesn't do much for code that wasn't compiled with it (and they are still really lacking in ways to lock down apps for a 'security focused' OS), the rest is just their implementation of stuff that already existed not something they innovated.
Most of their reputation comes from a time when linux distros and windows had every service enabled and exposed by default, it just developed it's own momentum the way many myths do.