By definition, Centos lags behind Red Hat on patches. They work very hard to make that window as small as they can, but sometimes it drags out longer than you'd like it to for a critical system. Some researchers will wait for Red Hat to release a patch before posting about a vulnerability. Not so many will wait for Centos. So the window where there's an announced flaw without a patch is, necessarily, larger with Centos than Red Hat.