The reason that you are required to use version x.y.z or newer is because, there are security vulnerabilities with the earlier versions, and (generally speaking) if it is connected to NIPRNET and publicly facing, it is a matter of WHEN it gets hit, not IF. This is why there is a STIG, and why you need to periodically run it against your production boxes to keep them current.
If you are a DoD admin, then you have been briefed on why you need to do this, I'm not going to waste time talking about it here. Failure to remain current is a reason for DISA to shut off your connection.
The scenario that there is a vulnerability, but there isn't a fix for it available yet, and you are at the mercy of volunteers to fix it, is the one of the nightmares of DoD policy makers. This is why they often argue for non open source software, because the idea is if they pay for it, then they have someone's feet they can hold to the fire(not literally, but figuratively, anyway) to get it updated! (Yes, I realize that this isn't really the case often, and closed source can take forever to close a hole, but this is the argument... facts don't always come into play when lobbyists get involved).
I always thought DoD would be the perfect place for open source software, where they could build an approved flavor of Linux, set up an approved distro site, and then hash everything to make sure that you were running version that was blessed by security to help alleviate trying to support everyone's own custom setup. Unfortunately, there are several major problems that I see with this:
1. You are beholden to the vendor of your product, and what they say they support. This is part of the bane of COTS. Not everything is developed to run on Trusted Solaris. You use whats out there in the world, not what DoD has hardened. This makes sense for budgetary purposes, but is sometimes at odds with security. "Oh, we realize that there is a vulnerability in the subsystem, but we don't support the upgrade because it breaks out system." This is also why there are so many system still running IE6.. because the java apps that were written by the tons don't work on IE7 or later (or better yet, a non M$ browser) because they don't want to update the code (or can't because the guy who cobbled the original together is no longer there, and no one else understands what the heck he did...)
2. DoD or at least the military, doesn't want to be in the development business. They only have a finite amount of bodies, which they can devote to war fighting, and don't want to waste them on support roles (try not to laugh to hard, I know they don't do a good job of this either, but that is the concept anyway). They get around this by hiring civilians and contracting support roles out, but often, this leads to enormous amounts of oversight and administrative overhead (and don't forget about the opportunity to line the PORK barrel while you are at it), and suddenly what was an inexpensive concept is not a multi-million dollar monster with a life of its own.
3. It's far easier to find vulnerabilities that it is to fix them. Also, systems have gotten so complex, and with so many components, and at times a house of cards looks more stable than a server (DCTS, I'm looking at you).
I think China might have the right idea. Mandate your own OS, and only let it be used for official purposes. This is a great idea on paper, but in practice it would run afoul of the issues mentioned above. It might work for China if they don't have a lot of modernization or a bunch of legacy systems already, that would need to be converted. They may have the willpower to want to spend the money needed to make everything happen, but I don't see the US doing this anytime soon. It is probably going to take some very painful lapses to occur before this will take place.
I apologize if I seem like for the over use of acronyms, but hey, this is about a DoD system :)
As far as the OP goes, you might talk to some guys who are maintaining *nix systems on networks other than NIPRnet, to see if they have created their own distros, repos, or if they are doing something else. I do feel your pain, as I recall the days of STIGing Solaris 8, when it came with BIND 8 embedded in it, and even though you weren't running a DNS server on it, it would still flag as a vulnerability (No version of BIND 8 was considered secure, you had to use 9... but you didn't want to install 9 unless you were running a DNS server...what a great circular arguments were had over this), and if you got a new guy doing the STIG, you had to educate him all over about it.
Slightly OT, but one of the current issues that the US DoD faces, is that NIPRnet was supposed to be an administrative, non mission critical network, that has evolved into something more, but hasn't been protected like it needs to be. You can't just put its functions on a classified network, because the date simply is important or sensitive, but not classified. (You realize this when you have to get an UNCLASS downtime, and you get more push back on it, than you do on "other" networks, because some yahoo in the command center doesn't want be deprived of his sports score updates).
And the other age old problem is there isn't an admin out there that isn't fighting to get enough time to keep everything up to date (if there is, they're department is in danger of being downsized), and dealing with all the other day to day problems.