My OS does constantly have bugs. It would be pretty unreasonable to say that my OS should never have bugs because of the practical impossibility of delivering perfectly bug-free software. So if people, after 10 years of trying, only found 4 critical vulnerabilities in all of coreutils, then that seems pretty good to me.
Rust itself has had 9 CVEs relating to memory safety in 2021 alone[0], which you can justify because Rust's development is highly active.
Recently there's been some folks "backfilling" CVEs. For example, the last one on that list was filed in 2021, but was fixed in 2015. The second to last one was filed in 2021, but was fixed in 2020.
The idea is, a lot of tooling relies on the CVE system to determine if a system is vulnerable, and so making sure that there is an actual CVE filed for every security bug is a good idea for the robustness of said tooling.
Rust itself has had 9 CVEs relating to memory safety in 2021 alone[0], which you can justify because Rust's development is highly active.
https://www.cvedetails.com/vulnerability-list/vendor_id-1902...