Qmail and DJBdns are both by Daniel Burnstein (im afraid I have probably butchered the spelling) and both have [cr.yp.to] rewards [cr.yp.to] of $500 for security related bugs that have remained long unclaimed (qmails was first offered in 1997). They replaced (the notoriously insecure) sendmail and BIND respectivly (curiously both out of berkley which seems to product great programmers and terrible software).
The history aside it seems that qmail has a lower market share then that of sendmail or postfix, largly (in my opinion) because the interface and configuration differs enormously from that of sendmail which tends to break sendmail-centric programs and make migration troubling at best (postfix is designed to use an interface identical to sendmails, and the configuration varies for the better). DJBdns suffers a similar fate when compared to BIND.
I guess the moral of the story is that you can have the most secure program in the world - but if you discourage users from switching over to it it dosn't much help (In fairness I think Mozilla does not suffer this problem).