I hate sounding like an advocate, but OpenBSD is secure from remote exploits out of the box. And a default install includes a recent version of OpenSSH, which is immune to the possible reason that this box was cracked (though as someone else mentioned it might have been PAM).
While adding OpenACS and PG might reduce that level of security, you can use packet filtering (also built in) to block any attempts to connect on ports that should not be connected to.
OpenBSD follows a six-month schedule, with major releases every six months.
One other point in favor of OpenBSD is that documentation is excellent. The man page for the software raid driver, for instance, is complete enough that you can follow it to end up with a perfectly configured RAID array by the time you reach the end of the man page.
I am not a "professional" security guru, but am someone who has to admin many machines for different OpenACS customers - I chose what worked, for me.
Locking down services I don't need, packet filtering, and working from a relatively secure base OS is something I feel comfortable recommending.
