The graph by Oracle is 7 months old ... because CentOS now has 2 full time developers and routinely beats Oracle to delivering kernels. Here is the graph and chart for 2012 EL6 Kernel updates. You can see that CentOS is delivering kernels 48% faster than Oracle in 2012 (25 days delayed for CentOS compared to 37 for Oracle). All but one of the eight 2012 Kernel updates have been delivered faster by CentOS. http://bit.ly/NEdAB8

You would have to ask the people who did it. I suppose that they might think that people who pay for RHEL are more security savy that those who take the free route. I am a centos developer, so I do not appreciate the suggestion that the CentOS team did something. There is no issue that makes centos more or less secure than RHEL in this instance. They likely chose CentOS because it is more prevalent than any other distro in the world and they had a scanner to find it. The initial entry is almost certainly a brute force ssh root password break in. They also likely developed their "malicious code" using the CentOS distro (it is free and the most widely used distro ... what would you pick to develop your code on?), so they likely know it works for sure on CentOS. Why take a chance it does not work on RHEL if they developed it on CentOS?

One of the issues in bding the most widely used distro and free is that bad guys use your stuff to build bad things.

Because CentOS is used more than any other linux server on the Internet maybe:

w3techs web usage

It is set up that way because that is how RHEL is setup.

You control the iptables on your machine, not the ISP. These guys are not hacking commodity shared servers they are hacking individual/coloacted servers. You would use IPTABLES and limit the access to at least known networks. Why have your ssh port open to China and Russia if it is located in the UK and never accessed from those locations (for example). Even if you don't have a single IP, you are on a specific network and you can allow only access from the "4" class B networks (as an example), etc. Also, you should always disable password logins and use keys to access your servers via ssh. Certainly you should disable direct "root" logins.

This is totally incorrect. There are MANY different licenses in RHEL. In fact, there are 240 individual licenses in RHEL-6.1 ... including: AFL, Artistic, BSD, CC-BY, GPLv2, GPLv3, CPL, EPL, IBM, IPA, ISC, LGPL, MIT, W3C, and many others ... including just Copyright Red Hat and NON-Distributable.

Red Hat did not write MySQL, the Apache Web Server, Gnome, KDE, OpenOffice, etc. They are USING / REBUILDING upstream code to create their distribution too. Granted, Red Hat pays people to help write some of that code ... however, they (and SuSE, and Debian, and every other Linux distro) is using other people's code, they are building that code and redistributing it just like CentOS does.

you CAN NOT install RHEL on machines that you do not have support for. You wave that right when you have any RHEL licenses. So, they can install RHEL if they have a valid license and they can not if they don't. CentOS is installed on an estimated 2 million machines world wide because of this. This issue is in RHEL and reproduced in CentOS, so it would not matter which one was installed.