>I'm just saying that distros' security announcement lists aren't the fastest way to get news like this
Certainly the volunteer distros without paid staff from a major sponsor are not the fastest way.
On the other side I just wondered 2-3 weeks ago that a security announcement came 1-2 weeks after I had installed the fix from the normal repo (not testing repo). So the security list was definitly not the best way to stay informed. I think it was OpenSUSE (but could have been Ubuntu, I use both. Definitly a commercially backed distro, though). Not sure whether that was an accident/exception or whether this happens more often or even regularly, I don't compare systematically.