This will surprise some of your readers, but my primary interest is not with computer security. I am primarily interested in writing software that works as intended.
Qmail out of the box works fine, so people will want to use it regardless of licensing restrictions, even when the software does not ship with their system software.
The challenge with Postfix, or with any piece of software, is to update software without introducing problems.
My reply is: the software has no known bugs, therefore it has not been updated.
I don't expect an overnight change of all desktops to what the US Military used to call B3 level security. And even that would not stop users from shooting themselves into the foot.
Writing software that's safe even in the presence of bugs makes the challenge even more interesting.
Most of the effort in the software business goes into the maintenance of code that already exists.
When I write software, I know that it will fail, either due to my own mistake, or due to some other cause.
The Postfix security model is based on keeping software simple and stupid.
In a previous life I wrote the software that controlled my physics experiments. That software had to deal with all kinds of possible failures in equipment. That is probably where I learned to rely on multiple safety nets inside and around my systems.