They are a company focussing on just one commercial product.
Also I find there's some kind of pride in quality amongst mac-developers.
Plus the lastpass vulnerability that was disclosed a couple of month ago seemed pretty basic and I haven't heard from serious vulnerabilities in 1password for a while.
There have been some articles about automatic KeePass updates being vulnerable. This section clarifies the situation and its resolution.
First of all, we would like to note that KeePass cannot update itself. KeePass does support checking for updates (optional; by downloading a version information file, comparing the available with the installed version number, and displaying a notification if necessary). However, it neither downloads nor installs any new version automatically. Users have to do this manually.
KeePass can be downloaded from many servers (SourceForge with its many mirror servers, FossHub, etc.). In order to make sure that the downloaded file is official, users should check whether the file is digitally signed (Authenticode; all KeePass binaries are signed, including the installer, KeePass.exe and all other EXE and DLL files). The digital signature can be checked using Windows Explorer by right-clicking the file -> 'Properties' -> tab 'Digital Signatures' (the expected signer name is 'Open Source Developer, Dominik Reichl'). When running the installer, the UAC dialog displays the digital signature information, i.e. users who carefully read the UAC dialog do not have to inspect the file properties separately. This is recommended for all users, independent of where you download KeePass from.
The KeePass website links to SourceForge for downloading KeePass. However, even if SourceForge (or the KeePass website) is compromised and serves a malicious download, users who check the digital signature will notice the attack and will not run the malware. Note that HTTPS cannot prevent an attack via a compromise of the download server; checking the digital signature does.
The version information file is downloaded from the KeePass website over HTTP. Thus a man in the middle (someone who can intercept your connection to the KeePass website) could have returned an incorrect version information file, possibly making KeePass display a notification that a new KeePass version is available. However, the next steps (downloading and installing the new version) must be carried out by the user manually, and here users who check the digital signature will notice the attack.
Resolution. In order to prevent a man in the middle from making KeePass display incorrect version information (even though this does not imply a successful attack, see above), the version information file is now digitally signed (using RSA-4096 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. Furthermore, the version information file is now downloaded over HTTPS.
> They depend on selling their product to security-savy users
No they don't. They just need some good advertising and they can sell to people who didn't even know they need it (fear works very well here). Really tech savy users will just move on if they don't like something or won't even come in because it's not open source or because of data thrift. The untechy customer will stick to what he has.
On the other side: if there is just one company better then them, with better advertising they'll have to see how they can get money with just this product. There are many creative solutions out there. A sheer endless horizon of possibilities I don't even want to think about.
Also I find there's some kind of pride in quality amongst mac-developers.
Plus the lastpass vulnerability that was disclosed a couple of month ago seemed pretty basic and I haven't heard from serious vulnerabilities in 1password for a while.
And that 1Password is local.
All of that is just a feeling though, of course.