> if you don't want to only apply security fixes to get a secure system,
> why do you need the big red flag that a patch is a security fix? if you
> are applying all bugfixes then you will get the security fixes along with
> everything else.
You wouldn't want to introduce possible instability to the system by applying other non-security fixes and enhancements.
> as for the reason to not call it out, to give the good guys a chance to
> apply fixes before the bad guys are writing exploit code.
Obscurity doesn't help, and it only makes the matter worst. Have you ever thought about the possibility that the good guys could also miss applying the security fixes just because of the obscurity in the changelogs?