Shouldn't distros and ISVs ensure that security updates get deployed promptly?

Security updates in current linux distros are
optional, right?  i.e. in Ubuntu 8.10, it
*offers* updates to you every time you
log in.  And (though I should know better),
I often ignore that message, so my systems
are days out of date.

Given how much malware is out there,
shouldn't security fixes for remotely exploitable
flaws be installed a bit more forcefully?
e.g. instead of an ignorable notification,
how about an in-your-face dialog saying
they're going to be installed now?
Or in some cases even just silently installing them?

This goes not just for distros; any ISVs is on
the hook for rapid security updates these days,
I would think.

This isn't an idle question... the ISV I work
for is pondering how to package its app
and how to push out security updates to all customers
promptly.
I can't recall any standard mechanisms to make this
happen other than, um, having the package install
a daily crontab script to update itself via the appropriate
"apt-get install foo" or "yum install foo" command.

(That sounds awful forceful, but I think lots of shops
do this kind of update of the whole system, so perhaps
an ISV doing it for just their one app wouldn't be too
controversial.  Ha.)
- Dan