Disclaimer: I'm an OpenBSD developer
I think we (OpenBSD) are pretty close. We've been 4 years without
a remotely exploitable vulnerability in the default configuration
(ie - out-of-the-box install). That means none of our last 8
releases have fallen to an out-of-the-box vulnerability.
As for getting OpenACS running on OpenBSD 3.0, that's one
of my Christmas projects. I'll let y'all know.