i know full well what dlang's talking about and i've explained numerous times where he's right and where he's wrong. to go with your example, here's another situation:
imagine, hypothetically, if you have 8 bug fixes, 2 of which have known security implications (they fix them) and 4 of which have security implications (they introduce them) that are unknown then telling people to only apply the two bugfixes leaves them less vulnerable then telling them to apply all 8. -2 is less than 2.
so what did you try to say again? that we can fabricate arbitrary situations with arbitrary numbers that only prove that the world's not black&white but a shades of grey?
let me tell you (again) where your thinking is wrong: you're saying that people are *not* getting more secure by applying (known) security fixes *because* they could get (even) *more* secure by applying 'all fixes' (whose definition is yet to be determined btw). i hope you'll see one day how ridiculous this is, you *cannot* be worse off by fixing a known security bug. lest you now want to claim that *anyone* who didn't update to 3.3-rc1 (which no doubt contains more fixes than this security bug) is in error.