This illustrates part of the problem with the kernel developers covering up security issues. You can't even illustrate how pathetic the current situation is because of the fact that found+fixed vulnerabilities aren't being acknowledged (either through CVEs or other means). The latest "stable" kernel release is filled with fixes for vulnerabilities (some of which have CVEs assigned, but it's been decided that that information won't be included in the stable release changelogs).
The classifications for these vulnerabilities are also wildly inaccurate.
Take for example:
CVE-2008-2365 core DOS Red Hat utrace race
If you go and look at the bugzilla entry for it: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2365
Sitting right there in the OOPS report is everything you need to know: RIP = 0, hence trivial arbitrary code execution from Linux 2.6.9 to 2.6.25, and not a "DoS".
Same goes for:
CVE-2008-3686 net DOS IPv6 null pointer dereference
which btw is still not properly fixed (the exploitable null dereference just moved to a less obvious spot under a specific configuration)
It's very obvious that this problem is due to the development model they've decided to adopt. Despite its advantages in getting new features out to users more quickly, it has some serious disadvantages: particularly in stability and security. They reaffirm their decision to use this model by pretending the disadvantages don't exist, by trivializing the horrible security of these kernels.
And it's only going to get worse, primarily because of your collective apathy. You gauge your success by how many "vmsplice" vulnerabilities have been found -- and I've got to tell you, that's not any kind of anomaly when it comes to the actual security of the kernel. It's more surprising that it was made public. Read the actual exploit where it alludes to how long it had been kept private.
You've enabled them to not report security issues. You've made your bed and you'll have to lie in it.