The reason that the latter point is reasonable is, it trivially isn't a game-over flaw for systems which do not have game-overs.
What we know about every system that installed FreeBSD-CURRENT is that the systems administrators at the time fully accepted an operating system:
1. That is not in any way "officially supported". (FreeBSD's words, not mine.)
2. that may for short periods of time "not be buildable."
3. that "is not a quick way of getting bug fixes as any given commit is just as likely to introduce new bugs as to fix existing ones".
4. that is much weaker in guarantees than the FreeBSD-STABLE branch, which expressly disclaims, "one should not blindly track FreeBSD-STABLE. It is particularly important not to update any production servers to FreeBSD-STABLE without thoroughly testing the code in a development or testing environment."
If someone has signed off on these topics, then there is no such thing as "game over". The server isn't important enough for "game over". If it is, then the security vulnerability was not the broken RNG but tracking FreeBSD-CURRENT in the first place.
Suppose a developer generated an ssh key while running -current and shared /home with -stable. Then the vulnerability would long outlast the use of -current.
What we know about every system that installed FreeBSD-CURRENT is that the systems administrators at the time fully accepted an operating system:
1. That is not in any way "officially supported". (FreeBSD's words, not mine.)
2. that may for short periods of time "not be buildable."
3. that "is not a quick way of getting bug fixes as any given commit is just as likely to introduce new bugs as to fix existing ones".
4. that is much weaker in guarantees than the FreeBSD-STABLE branch, which expressly disclaims, "one should not blindly track FreeBSD-STABLE. It is particularly important not to update any production servers to FreeBSD-STABLE without thoroughly testing the code in a development or testing environment."
If someone has signed off on these topics, then there is no such thing as "game over". The server isn't important enough for "game over". If it is, then the security vulnerability was not the broken RNG but tracking FreeBSD-CURRENT in the first place.