Note that there were actually four xorg issues involved in that update (with only two being mentioned in the Redhat/Fedora advisories), and it appears that Ubuntu is the only distro that has fixed the remaining two (as of today) .
Among those four, at least CVE-2011-4029 is not theoretical as there is existing exploit code in the wild . That should have been enough to make this one DSA-worthy, but that didn't happen . However, fortunately Debian users taking advantage of the stable-proposed-updates mechanism do have an xorg package with this fix included.
Also unfortunately, the Debian openjdk package unfortunately demonstrates the downside of voluntary software maintenance. If there is no one specifically interested and skilled enough to take care of security issues in the package, then it goes unfixed for long periods of time; whereas in a commercial distro like redhat, there is at least someone saying don't let this thing make us look bad. For example, the latest openjdk DSA, which was issued on 27 Sep 2011 fixed issues disclosed on 2 Feb 2011; a 7 month lag.
There have been talks of setting up a security foundation , which would establish longer-term security support for the stable releases and may involve encouragement by dangling carrots (i.e. money) in front of packages that are currently lacking interested security volunteers. Who knows if that experiment would work though since money is a very touchy subject within the Debian community.
Fortunately, it seems that there are very few packages that would fall into this security neglection category; the only other notable exception being webkit . I had been working to improve that, but I simply don't have free time right now as I'm finishing my PhD dissertation.