What you've just said is that experts who spent their time reverse engineering a binary
firmware failed to find an easily exploitable method, but instead found a method that enabled
them to make money. That is human nature. What guarantees do I have that some linux
contributers don't deliberately introduce or obscure exploitable bugs so that they can profit
from them in some way? The vast majority of other people who understand and find them are
likely to keep them to themselves, or sell them on.
If there is no accountability or transparency in how these serious flaws are dealt with, no
incentives to disclose or not put them there in the first place, bad things will almost
certainly happen. It's inevitable. These corruptions happen in every other field, it's naive
to think they won't happen here.
Everything that is even remotely a "security" threat should be labeled as such. If this makes
linux look bad when some smart researcher compares all the major OS' security by counting
publicly known flaws, so be it. That is the incentive to not put them there in the first
place. Hiding them is, at best, leading to a culture of complacency, and at worst an
indication of malice.
I salute spender and the PaX team for bringing these issues to the fore. They have made a
considerable impact in the field of security, when they speak it is worth listening.