This also points out one of my concerns with the RHEL distribution (we have lots of copies we pay RH for, and a few we use CentOS for). For some packages, we'd REALLY like a choice of staying on the present train, or moving forward. In our case, sendmail-8.13 would be useful, and php-5.x would be useful. If there were the possibility of getting those -- including bug fixes for security updates via normal patch installation methods -- we would be much happier.
postfix :P
Except for one security issue and one DOS way back in time, postfix has been pretty good when it comes to security issues; being as it is written by a security expert.
The latest RHEL postfix is 2.2.10 which brings along a lot of lovely features and it is also a complete dropin for sendmail.
Or you can become a sendmail expert and package your own up to date sendmail.