That looks not too bad considering what it does and the time range of CVEs

Or OpenRC, which is closer to a competitor, than an entire OS. [0]

[0] https://security-tracker.debian.org/tracker/source-package/o...

Of course, the scope is different, the kernel is about 30 times as large as systemd (which is less than I was expecting frankly), but they both match the description "low-level large C language project". Therefore in my mind they should have a similarl density of CVEs per lines of code:

Systemd has 4 open CvEs in ~1M lines of code.

The linux kernel hash 18 open CvEs in ~30M lines of code.