Certainly this "once you install anything outside of the base system, all is lost" mantra is false.
If that was in reply to what I said, I was not, and would never claim "all is lost". I stand by what I said, that a secure OS can easily be compromised through either bad admin or bad services/applications.
Theo can put all the mitigations he wants into the OS, he can make it the world's most secure OS, but that will not completely prevent a compromise if the admin (possibly unknowingly) creates a hole, or a service with dubious code quality is listening to the net. The compromise might end up limited to less than the entire system, but any case where an attacker can get beyond normal/good/safe functionality is a compromise even when limited/mitigated. If we're talking only about entire system compromises, then FreeBSD's jails go a long way towards preventing those.
OS design, quality, mitigations, etc only go so far.
It is great that we have Theo and the other OpenBSD developers focussing hard on security. They are doing a good thing for the world, and the entire BSD ecosystem benefits from it. It's just wrong to infer that you can't also deploy a secure FreeBSD system which will withstand sustained attack from the worst the net throws at it. In specific cases, you may well appreciate some of the OpenBSD security features and benefit from them; but otherwise FreeBSD works just as well, in practical terms, for many cases.
In general, and in modern times, the external compromises don't tend to come from the OS itself, they almost always come from the services and applications. Much of the Windows malware finds its way in through applications, often with the user actively giving it permission (or at least creating the opportunity) to take over their system!