One more voice on this: we actually run the yum security plugin, several
times a week, and it does report things... and almost all our systems are
CentOS.
When I see something in there, just as when I see an announcement where
there are updates marked important, and esp. critical, we roll them out,
by themselves if possible, within days, as opposed to waiting until the
maintenance window, which could be 3.5 weeks away.
We only do the full updates during the maintenance window (or via
negotiation with a workstation owner....)
mark