It is true that the CentOS folks were really late in getting out 5.3. They are definitely aware of the problems and are trying to get the resolved for future releases.
Some updates that came out for RHEL5.3 could not be done for CentOS 5.2 because they depended on other (non-security related) packages that were updated in 5.3... so their best course of action was trying to get 5.3 done as soon as possible.
I wouldn't call CentOS 5.3 a security nightmare. While there have been some security updates that have taken a while... none of them were critical. If they had ignored a critical update... or if there were some exploit in the wild it would have been different.
The CentOS project takes a practical approach and weights the the actual risks (from my perception as a project outsider) and factors that into their work schedule. I'm not trying to say that is necessarily a good approach... because yeah, it would have been nice if security updates had been released the same day or the next day as Red Hat as has historically been the case. What other free / non-sponsored distribution maintains 3 or 4 different releases over a long period of time?
As they have said, if their updates aren't timely enough for you, and most of the time they are extremely timely, then you should consider going upstream.