The 'little time' you refer to can be anything from months to years. Not everyone keeps their
kernels bang-up-to-date, and fixes to things which might be security holes in mainline are not
always instantly propagated to -stable. Thus a window exists, and given the existence of
rapidly-propagating worms it is unwise to make that window wider than necessary.
(This is of course the entire justification for the existence of private lists like vendor-sec
and the BIND security list in the first place. You might not like it but it *is* defensible. I
don't much like it either, not being on any of those private lists, but nonetheless I can't
really argue against it.)