Which is the point. The entire 'security circus' business is an excuse to avoid the real issues here. Phrased differently, what does 'security circus' have to do with upstream improving the security of their own kernel?
The answer is: "nothing." So why is it brought up so much when it's completely irrelevant to any kind of discussion we're having here?
I can think of a million better questions, like "what is Linux doing to attract security talent for mainline work instead of pushing away potential contributors?" or "Linux is used on millions of systems; why isn't there a single person employed full-time to improve upstream kernel security?" or "How can we move away from the find bug/patch bug mindset/approach to security?"
But it says a lot about an individual and their view toward security when the most useful thing they can muster is some regurgitated crap about "security circus" as if they're saying something insightful or intelligent.