One can go around in circles with arguments about what is a "known possible security bug" vs "bug with unknown security implications". To add to the hyperbole one could also ask what does it take to become a "security issue" (e.g. is a bug that causes a crash/lock-up but otherwise doesn't provide root access a security issue? One may shrug off a lock-up on a personal laptop, but many clients will be very annoyed with lock-ups on servers running essential services).
Personally I'd like to know whether a kernel upgrade fixes a "known possible security bug", where the bug can be triggered by a deliberate and remote attack. However, one can also suspect that a reason for the rather obfuscated security warnings by Greg KH et al (i.e. "strongly encouraged to upgrade") is not the definition of a security issue, but the politics of the Linux Foundation. Once a bug has a CVE number, the count of security issues in Linux goes up. Obviously it's very useful for marketing reasons if the number of security issues in Linux is lower than other systems. Hence why add to the count of security bugs (even though they may lack CVEs), through kernel update disclosures ?