It's a weird rhetorical position you're putting me in, where to agree with you I'd have to simultaneously accept that -CURRENT isn't widely deployed (reasonable!) and that a broken kernel RNG isn't a game-over flaw (not so reasonable!).
The reason that the latter point is reasonable is, it trivially isn't a game-over flaw for systems which do not have game-overs.
What we know about every system that installed FreeBSD-CURRENT is that the systems administrators at the time fully accepted an operating system:
1. That is not in any way "officially supported". (FreeBSD's words, not mine.)
2. that may for short periods of time "not be buildable."
3. that "is not a quick way of getting bug fixes as any given commit is just as likely to introduce new bugs as to fix existing ones".
4. that is much weaker in guarantees than the FreeBSD-STABLE branch, which expressly disclaims, "one should not blindly track FreeBSD-STABLE. It is particularly important not to update any production servers to FreeBSD-STABLE without thoroughly testing the code in a development or testing environment."
If someone has signed off on these topics, then there is no such thing as "game over". The server isn't important enough for "game over". If it is, then the security vulnerability was not the broken RNG but tracking FreeBSD-CURRENT in the first place.
Suppose a developer generated an ssh key while running -current and shared /home with -stable. Then the vulnerability would long outlast the use of -current.
It's not that it's not widely deployed - it's that -CURRENT is deployed by people who have been warned that it could fail at any moment because it is in constant development. It's a development tree, sometimes it doesn't even boot! Sometimes on svn upgrade (and recompile) it can hose your filesystem partitions and that's expected. Forget about the RNG - when someone is working on filesystem code it corrupts files and you lose all your data! I can say this with a straight face because that's what it's for.
I say it's a game-ON plan because thank goodness it got caught in -CURRENT now - that's the way the development process is supposed to work.
I myself run -CURRENT 2 ways - one is a sandbox development physical box that has no access to any of my other servers (I use it to try ports to see if they will still work on -CURRENT), and the 2nd way is in a VM on my laptop to fire it up to see if it boots from time to time.
