There’s quite a lot of programs that make use of XDG_CONFIG, with the default set to .config in most distros. However, there’s also quite a few programs that have rejected this, sticking with a format that is not XDG-conforming.
One such example is OpenSSH, as can be seen in the following page - it makes use of the ~/.ssh directory. Why is that OpenSSH does not conform to this specification? Are there any security vulnerabilities? If so, then shouldn’t there be another specification by Freedesktop.org, which allots a secure directory for the same?
They are not BS reasons, they are just reasons you don’t like. The OpenBSD team - those behind OpenSSH - are very conservative to the point of being almost reactionary, and that’s great for the kind of software they make. OpenBSD defines itself as “boring”, in a good way.
Coming from a Linux world it may seem weird, as around Linux innovation is praised more than improvement so we end up with a bunch of shiny new software with a lot of growing pains, while BSDs tend to be avantgarde on some technical aspects but at the same time very wary of novelty. OpenBSD in particular takes this to the next level with most of development still happening on CVS and many other quirks that would baffle most Linux users.
To each their own. Personally when it’s security stuff I like it boring. I’ve been using openssh since version 2.x and the muscle memory built 20 years ago is still serving me.
Edit: just to be clear, for ssh Linux is a second class citizen. On our distros we run a special (less secure) “portable” version of ssh that they release for us poor peasants. OpenSSH is an OpenBSD tool first, everything else after.