BSD boosterism is a meme, I know, but honestly this is the incorrect take.

Anything as large and complicated as a kernel has bugs. Some of those bugs may be security related. If security is your concern, you want to use the kernel which has people actively publishing those bugs so they can be patched.

The fact you haven’t seen privilege escalation vulnerabilities in BSD isn’t necessarily because they aren’t there. We don’t know that. What we do know is that not as many people are looking.