Well it's a viable assumption that the code base will simply continue to grow as, despite how many developers are involved and the amount of corporate money thrown at it, it's just too "hard" for people to do security audits, let alone remove redundant code, unsupported drivers, etc.
It's more like a case of it being too far gone and too complex and perhaps there are parts of the code which no one really understands any more on account of the open development model (e.g. there are people or groups of people who made commits, possibly over 10 years ago, who no longer work on the project)? From a security perspective that doesn't sound too good.
|