I wrote:
Incidentally, you and I should both transition from BIND9 to a better authoritative-only nameserver (such as NSD) and from Apache http to a lighter and more secure httpd (such as Lighty or nginx).
Also on the cutting block: NTP Project ntpd, _also_ traditionally a source of recurring security problems and notably overfeatured. I'd been thinking the leading alternative for my use case would be OpenBSD Foundation's OpenNTPd, but the Red Hat-sponsored Chrony appears surprisingly good: https://www.coreinfrastructure.org/news/blogs/2017/09/securing-network-time
It's a pity that the security audit in question didn't include OpenNTPd.
(Implementations studied: NTP Project ntpd, NTPSec, Chrony. The study notes that the NTPSec fork is still in early days, doing cleanup of NTP Project legacy code, so current results don't necessarily predict well what's coming. The same can probably be said of OpenBSD Foundation's project, likewise a fork of the reference codebase focussed on losing legacy cruft and less-necessary features. Chrony stands out as being a from-scratch fresh implementaiton.)