Dude, just jump ship already. I just read Slashdot these days for the perverse pleasure of silly stories.
P.S. This article hit front page YC and Proggit several hours before Slashdot.
You may be interested to know that AFS has implemented a variant of this feature. The conceit is that filenames can contain a magic string @sys, which gets substituted with the "sysname" of a particular system. This means if someone publishing software over AFS wants to have multi-platform support, they merely have to setup a directory divided by sysname and have compiled versions of the software for each system type they wish to support.
The first trap you will fall into thinking about this is that it should be the end-all security policy, and will solve our problems. It won't. That's not the intent, and also impossible given our diverse browser ecosystem.
The ability to tell the browser, via out-of-band, non XSS-able information, that certain scripts should not be executed, however, is a very powerful defense in depth measure, and makes it one step harder for attackers to make an attack work.
Security is a war of attrition. Bring it on.
Note: Not all security updates support HotPatching, and some security updates that support HotPatching might require that you restart the server after you install the security updates.
Yeah. Rebootless updates. Uh-huh.
I'm sure if you talk to them, they can set you up with a pricing model for update streams for these distributions.
No amount of careful planning will ever replace dumb luck.