BTW as we've mentioned repeatedly before, the only thing we called for in the past was for security-relevant information *known at the time of the commit* to not be omitted from the changelog. It would be silly to hold a fix from being published until its full impact could be determined.
Similar to how static checking is done after the fact, vendors should be employing people trained in security to spot bugs with security implications. The information could be posted on a blog similar to xorl's but with simple summaries of impact included as well. Xorl can push out several quality posts like these a day, and he does it for free in his spare time; there's no reason why a company with 600 million in revenue can't do the same.