Re: One thing the FSF seems to be overlooking...
How often are security updates released for any open source project?
Almost every month.
Buffer overruns, cryptography flaws, bugs in new functionality.
Maybe some of those "bugs" are back doors being inserted deliberately. They don't have to last long, just has to be one in every release, so whether or not you upgrade they can get you.
Maybe that one guy one the project isn't "one guy". It's a team of NSA programmers working out how to put a plausible bug in this months security update while fixing last months crop of "bugs".
And if you spot the bug, they are only too happy to fix it. After they spend weeks swearing up and down that it isn't their code, and asking you to provide exhaustive debug traces etc. Like almost every programmer.
A zero day doesn't have to last for ever, just long enough for the next zero day to "turn up" (be inserted).