At least with RHEL I know a about their security procedures (quite rigorious).
Last I checked, crackers actually signed openssh packages sent out over RHN for RHEL 4. Also, lets compare. Redundant oracle database server, running Enterprise edition. Lets see. Server 8K. RHEL License 300 bucks. SAN so you can support RAC - 50K. Oracle licensing for an additional server, 125K. Total cost of around 183K to run RAC compared to a standalone server. That's a lot of money to justify being immune to the major cause of downtime (Kernel patches - hardware these days just doesn't fail in a way that brings systems down).
Payback for 183K at 4 dollars a month is 45,750 months. Or 3,812 years. That's a really long time to put RAC out there as a solution just to achieve HA. Now, I'm not saying that this solution is as good as RAC at eliminating downtime, but I have 5 full time production oracle servers in a mid sized company that have had exactly 0 minutes of hardware related outage over the past 18 months. Of the outages, 95% were kernel patches. To my boss, if I can eliminate 95% of our database downtime for $20 a month, what do you think he's going to say. It's a lot more convincing then saying I can eliminate 100% of it for $180K per server, that's for sure. Maybe the economics of my company (mid sized company, supporting about 140 servers total) are the exception, but in my case, this makes damn good sense.