I think in case of any security-critical project it's important to evaluate the track record objectively:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=OpenSSH

It's true that there are 5 advisories so far in this year alone, but let's consider the actual impact:

    CVE-2025-32728 - Error in documentation, possibly leading to misconfiguration
    CVE-2025-30095 - Debian+dropbear-specific
    CVE-2025-27731 - Windows-specific; local privilege escalation; OpenSSH doesn't target/support Windows
    CVE-2025-26466 - Remote DoS
    CVE-2025-26465 - MitM involving host key DNS verification; high attack complexity (relies on exhausting client memory)