Red hat does a good job with regards to security and only security, but the data is not available from most other distros and the format is not good for aggregation.
I think all commercial vendors should get together and publish metadata about the work they are doing as open data.
A distrowatch-like website that can answer questions like:
"Which distro updated the kernel and bind the most and fixed its security issues the fasted in the last three years."
Currently the data for that is too hard to get from most distros. I think this data would give SLES, RHEL, Ubuntu, Debian a clear advantage over these fire and forget distros that just make a release and never do any maintenance.