what security fix?

"Pragmatic" disproves your point! To be pragmatic one needs information to base decisions upon. Simply following "we urge you to upgrade" isn't pragmatic at all, that's faith, faith in the developers to now what's best. Now nine times out of ten that might be just fine, but the one time out of ten, where an upgrade breaks some other part of your system, can still be often enough to be problematic.

If there are known security issues, I need to know, because I need to protect my servers and my clients, either by applying the fix, or by creating a seperation between the bug and potential triggers of it. If not, if it's say, timing tweaks to the schedulars to undo a regression, I need to make sure that it applies to me. If the regression hasn't affected my workloads, changes to the schedular could, and I wouldn't want to apply it without some stress testing during a planned upgrade time (we lost *loads* during early 2.6.2x kernels as IO would grind to a halt under certain loads as each of the cores just seemed to be blocking... the problem went away dropping back to the maintained 2.6.16 series, and post 2.6.25 seems okay, but boy did it cost us and did we learn our lesson).

Note that this isn't a complaint, I play about with risky experimental code because I enjoy the new stuff. If I thought they were crap, I wouldn't be using their kernel.