It sounds like common sense, but halfhearted diversification --- which is all that's available to mainstream users and enterprises --- can easily reduce security. That's because almost all real world security is logically perimeterized, with a single outward-facing attack surface that's given attention and an implicit premise that post-compromise persistence and pivoting is a given. Nobody survives an internal pentest, not even in 2025.

So by running BIND on Linux and Apache on OpenBSD and trying to tie it all into MSAD, what you're really doing is just expanding your attack surface, and once any of those are broken, attackers won't have to care about the state of the art in vulnerabilities to extend access from there.

The "monoculture" stuff is a product of a time when security pundits worried Microsoft was running the table on corporate IT. We're (generally) SAAS startup people here and very few of us run any Microsoft stuff. Almost all of us are better off extensively hardening a single Linux server environment than we are in deliberately trying to sprinkle NetBSD and Microsoft servers. That's doesn't improve security; it just turns your network into a CTF challenge.