It's not about inviting Joe and Mary to the field (of IT security) but about making (at least some) IT security actually available and useable for Joe and Mary. After all what good does security if only a selected few can actually use it.
Also: Just have a look at security devices, for instance selinux, tomoyo and others on linux. The vast majority doesn't use (or even know to a reasonable degree about) it.
Some (by no means all) comments on your article:
I think that it's a large base on which you can work more and refine over time. I'm under the impression though that it's biased. Not in terms of malevolence but by a starting bias that, btw, is not uncommon, namely the assumption that OpenBSD is the best and hence a reasonable feature matrix against which to compare other operating systems.
I'm also under the impression that your article might greatly benefit from a more profound understanding of the relevant details. Currently, so it seems to me (and I apologize if I'm mistaken) there is a tendency to accept statements at face value and to simply list everything.
Let me offer an example. OpenBSD (which choose a fish that pumps itself up to look more imposing ... maybe that actually is more than a funny picture) declares with a full mouth that at any given point in time 6 to 12 people of their team are auditing OpenBSD.
Now think. Is that indeed a relevant and valid statement?
If so, then windows must certainly be more secure than OpenBSD, no? After all they don't have 6 - 12 but 60 - 120 or even more auditing their code.
IMO even more important though: Did you ever see an OpenBSD audit report? If not, let me make you a very special x-mas price on the tour d'Eiffel ... *g - Seriously, looking closer one might get the impression that those ominous audits are yet another version of the pumped up puffer fish; lots of volume, little meat.
Allow me to suggest you a better approach than collecting talking points of the OpenBSD evangelical team and comparing other OS against those:
You (yes, you yourself) must come up with a list of relevant desirables against which you examine each OS. How to do that? You got me, that's a hairy beast. I'm afraid you'll need lots and lots of real world experience not only from the white side but also (at least) from the black side. And of theory. And of software development. And of OS innards.
Last but not least, unless you desire to add yet one more paper to a huge number of (rarely read) academic papers on the matter, you might want to ask a very, very important question that is unpleasantly rarely asked: security what for, security against whom? Because, after all, from that derives the only really relevant measure, namely real life security.
An example: security is a very different thing from security depending on whether you look at script kiddies, semi-professional hackers for evil fun, or an nsa tailored access team. Of cause, quite few (seriously) will try to protect against a tao team while virtually everyone (running a server) will love to be protected against script kiddies and the gazillions of hobby intruders. In other words, talking about "security" one needs a context.
Another issue that you (like almost everyone else) don't mention: A major part of security devices of any OS are not against intruders - they are, in fact, against a large and largely different (quality wise) plethora of userland programs like idiocy in web or mail servers or (a gazillion other programs and programming incompetencies). It is, in fact, quite rarely the OS itself that opens all doors wide; it's drivers, daemons, libraries, applications.
To summarize it, there are basically 4 problem/trouble sources: the OS itself, legitimate code (drivers, programs, etc.), legitimate (but incompetent and/or evil spirited) users, and finally, real outside intruders.
In the end it boils down to:
- How is the OS itself designed and implemented?
- How is the code around it, i.e. drivers, core libraries, and finally userland?
- How well is an OS actually protected against incompetent or evil minded legitimate users? (Hint: the latter are among the most dangerous threat against any OS)
- How well is OS protected against outside intruders (which, in large part, falls back to point 1)?