I would argue, it's not that he's *right*, it's that he's right in a way that still doesn't help.
Wife: "Honey, do you know where my keys are?"
Husband: "Pretty sure they're right where you left them!".
Technically correct, completely unhelpful.
And that's how QMail is. (or was, I stopped using it years ago) Qmail is a nightmare I'd rather forget. Sure, it is/was very secure, modularly written with strong privilege separation, built-in clustering support, etc. But because of the horribly restrictive license it was under, you had to download it and apply a half dozen patches in order to get it to do what you wanted. Worse, the patches were often somewhat in conflict, so you end up doing patches in a specific order to get what you want, and/or manually editing files. And then, when you are done, you have something that not only has its own init system, it actually conflicts with the standard init system so you have to pretty much disable every other service on the said server.
But you know what seems like the most asshole part of all? Updates are infrequent at best, and the license doesn't allow you to distribute updated versions. It just isn't going to get any better. Everywhere else, you run a single command (EG: yum install postfix) but to get qmail going takes weeks.
I'm a big fan of DJB's code quality, and the new Crypto being released as LGPL means I would actually get behind using his code. I'm just glad that heartbleed means that the critical security infrastructure will finally get somewhere near the attention it deserves...