Given bug A, which appears to be a security vulnerability, and bugs B1-26 which are not known to be vulnerabilities, does it make sense to apply patch B13, which contains its own bug which renders the iwl4965 driver inoperable (again)? Or patch B25, which introduces its own security vulnerability?
Bugs can be categorized as follows:
Known vulnerability, known to be exploitable
Known vulnerability, assumed to be exploitable (may not be)
Not known to be a security flaw, but it is one
Not known to be a security flaw, and it isn't one
Known to not be a security flaw
Now obviously we'd like to have patches for all of the first three classes, but we can't include the third because they're unknown. But clearly getting the KNOWN problems solved is better than nothing? And from a risk management perspective, fewer changes is better. Believe me, if I could just upgrade the parts of the kernel which required security fixes, I would. The last year I've had nothing but pain when upgrading my kernel and minimizing the changes makes sense. Thankfully I don't have to maintain a bunch of servers, just my one laptop. I'd hate to deploy a security fix to my enterprise and find that my entire workforce's wifi cards stopped working, making it extremely difficult for them to go back to a working kernel.