It comes from all his reporters being teenagers in developing countries with older models, and people using SOTA models who know how to qualify a potential vulnerability having much bigger fish to fry than curl. curl is a meaningful target, but it's in nobody's top tier.
Curl's Daniel Stenberg claimed during his NDC talk that vulnerabilities in this project are 8 years old on average.
I wonder where the disconnect comes from.