Good. Reduce yourself to insults and don't even answer the [first] question.
You're right about the insult, but the point remains -- it doesn't matter how long Sun takes. He isn't changing how the security information gets to the world, he's providing Sun a support channel for assistance integrating the security fix.
If a new distribution is available, why penalize those that don't need a distro from a vendor to perform an upgrade? That's the point. Big or small wrt to company size is irrelevant. This question may have already been answered but I dropped off early last night.
In my experience (being a paying Sun support contract customer) I've gotten security fixes from Sun in a time range from 2-6 hours. 6 hours was the longest time that I've experienced from handing them a security flaw they didn't know about until I had a valid patch in my hands.
On a closed circuit channel for security updates.
I'm a paying customer with a different vendor. I use my experience from a few years ago to not rely on vendor knowledge let alone patches in emergency mode. The point is: there are many companies that don't pay for vendor support. They may or may not be big. Why would you or anyone else prefer to inject criticism toward their concern for network security (particularly in light of all of the pissing and moaning that goes on in this list wrt to this subject) just because they do things differently than you?