My guess is that in such low memory regimes, program length is very loosely correlated with bug rate.

If anything, if you try to cram a ton of complexity into a few kb of memory, the likelihood of introducing bugs becomes very high.

Yet here we are compounding the issues by adding more and more layers to these systems... The higher the level it becomes the more security risks we take.

Well you don't have room for a lot of "defensive" code. You write the program to function on expected inputs, and hope that all the "shouldn't happen" scenarios actually don't happen.

Also contrast with the busy beaver problem and how much can be done with a small handful of instructions.