How long should security embargoes be?

Testsuites aren't going to find security issues opened up by rushed bug-fixes. Nor are they going to find kernel bugs that aren't blindingly obvious. Testsuites catch regressions in the package they're testing. Someone fixed a bug and added a test to make sure it didn't happen again. I'm not saying they won't catch bugs here and there, but relying on them for security is foolish.

And even if all distros had access to clusters of machines of every security-supported arch, you'd have to get upstreams to give a shit about unrelated testsuite failures before they'd become of any use whatsoever. In my experience, it's been largely "Well it passes on my machine, sucks to be you". Some upstreams are better than others (libtool always impressed me, even going as far as to offer to add a workaround for a broken version of a in-house tool of ours), but most regard test failures that don't happen to them to be someone else's problem. This is understandable of course; I'd rather work on something more interesting too.

I'm not going to reply to the rest of your message since I can't seem to come up with a response that would be appropriate in public.