Comment by labawi

> .. source code isn't open-source ..

Not sure what you mean, but then what is this: http://links.twibright.com/download/

> In this thought experiment, any successful attack has massive value so we can expect bad actors to be hammering on the system and finding most such exploits available on the application.

Precisely, and because of that, with 50% people using it, an orders of magnitude smaller attack surface and a mostly fixed feature set (you could at least have a LTS version), just how many vulnerabilities are there to find? How many man-years of work until there is nothing¹ left to find? Do you think that just any code has exploitable vulnerabilities, you just need to look hard enough? And with each fix, you can repeat that ad nauseam?

With the current browser development efforts, would we end up with a 100% formally verified browser, including its dependencies, networking, and maybe even relevant parts of a linux kernel?

Judging by the change log[2], links is currently developed by 1 developer and occasional contributions.

¹ Nothing of sufficient importance, frequency and lack of reasonable mitigations like not clicking on browser look-alikes, server-side CSRF protections, etc.

[2] http://links.twibright.com/download/ChangeLog