Depends who "they" are. Bugs in the crypto code will compromise the cryptographic strength of the connection, revealing data or keys. Bugs in the protocol code will compromise the host which is running it.

Both are bad, but I'd say that "remote root" trumps "side channel attack".