Today, Dana Blankenhorn on ZD.net opines about the need for open source patch management. More specifically he talks about notifications of vulnerabilities. Well the best kept secrets in open source, the BSDs handle this just fine in my opinion.
Being a FreeBSD user, I have to say that portaudit and the FreeBSD Security Advisories are a very good existing answer. I stay in the know and the gap between release and me knowing is as small a delta as I want. It is completely up to me. The other BSDs have similar mechanisms.
The best thing about the FreeBSD Advisories is that they tell you, as soon as they know, the unvarnished truth.