The security community says that more code equals more bugs. More code means more complexity, more complexity means more bugs. People make on average a certain number of mistakes per X lines of code. Removing X lines of code removes those bugs. If you can remove code and still meet your goal, you should always do it. A really good programmer might average one bug per 500 lines of code, removing 500 lines of code will likely remove a security vulnerability. A shitty programmer might average one bug or more per 50 lines of code, removing 500 lines of code will likely remove 10 security vulnerabilities. Seriously there is not much of a debate there are all kinds of studies showing that programmers tend to make an average number of errors per X lines of code (with more skilled programmers making less, and security oriented highly skilled programmers making very few), and that means the less lines of code your program has the less bugs it will have. The number one rule of security programming is express every program in as absolute little code as required to meet your objective. Any additional code is just introducing additional security vulnerabilities for no reason at all.