High quality code reduces instances of vulnerabilities, which is great. But code vulnerabilities are only one of the many factors in assessing security.
To be considered a secure operating system, you need to have more mechanisms in place to protect against various threats, and the OBSD developers actively resist that. I'm familiar with their innovations and solutions, and I think they fall far short.
Here's a neat resource for OpenBSD's mitigations, some of which were/are novel, though it may not have been updated recently (2019):
https://isopenbsdsecu.re/mitigations/