Correcting what I wrote, recently:
The study notes that the NTPSec fork is still in early days, doing cleanup of NTP Project legacy code, so current results don't necessarily predict well what's coming. The same can probably be said of OpenBSD Foundation's project, likewise a fork of the reference
^^^^^^^^^^^^^^^
codebase focussed on losing legacy cruft and less-necessary features.
Actually, OpenBSD Foundation's OpenNTPD is _not_ a fork, but rather another from-scratch reimplementation, as is the Red Hat-sponsored Chrony codebase. It's unfortunate that OpenNTPd wasn't included in the Core Infrastructure Initiative security study, but I would expect on general principles for it to have excellent prospects.