vmsplice on 64bit kernels wasn't a NULL ptr deref (see http://lwn.net/Articles/271874/). perf_counter wasn't either (I released 2 versions of it -- one that used a NULL deref and one that didn't)
From reading slashdot comments I was surprised how many people were posted with mmap_min_addr set to 0, and seeming surprised or not understanding why it had been turned off. It was also worrisome to see people just check the value and determine that that meant they were protected -- which is not necessarily the case, particularly for RHEL. I don't know what kind of standards are in place for this, but it seems like a user-visible warning should be given (like the ones I see on Debian) if a user is installing something that will force mmap_min_addr off. Some people reported that it was turned off, but all their apps worked fine -- could the request to disable the feature be moved to the application for when it's actually used?
Anyway, I wouldn't try to over-analyze the threatscape of the kernel based purely on exploits I release publicly.