They cite grsec, that guy is a notorious troll. I’ve seen customers apply their patches thoughtlessly, on bad advice, and bring down production systems. Linux security isn’t perfect (if it was I would be unemployed) but a lot of those problems are solved on properly configured modern systems.

I do Linux research for a living and I barely give a shit.

The best feedback I ever got on an assignment in grad school was “wow, your homework looks like a textbook!”

It may not always be correct, but it’s always pretty!

They usually don’t have a choice. They know this stuff is bad, but they need it to demonstrate compliance with XYZ framework so they can fill out the marketing copy so sales can land a contract with some big customer that wants to know why $competitor has better security than you.