Very interesting experiment, thanks for doing this!
One thing I noticed that would take little effort and help improve clarity for the bugs marked as security-relevant would be to provide some context to included oops/BUG in the commit messages. If it's for a resident device like a soundcard, did the oops occur prior to init, or was it triggered at runtime by a user?
Seeing oops messages consistent with a particular exploitable bugclass always sets off alarms, but in many instances the bugs just aren't reachable by an attacker. A few extra words of context could help.
Some of the ones you missed (the move_pages() one for example that I wrote an exploit for) would have been caught if the information known by the committer (Linus in this case) had made it into the commit message. That particular bug was reported by SuSE security and its impact was known. It was even reported to SuSE as having security impact. It's a good example of how deliberate obfuscation hurts the wrong people. In this case, you didn't spot it as being security relevant, while I wrote an exploit for it.