``You'd have to fix the hole in 400 separate copies of the codebase, something version control was designed to prevent the need for but which linux groups seem to have abandoned...''
Its somewhat better on Linux. Consider the recent flaw in a JPeg rendering library that hit both Microsoft and Linux systems. Because the Linux shared library system works so well, Linux users just update the one copy of the library on their systems. Tools like aptitude, a nice wrapper around apt, make that easy. Aptitude will even automatically remove the library if it is no longer needed. The end result - the library is fixed once; all applications benefit.
Conversly, on Windows, every application has its own copy or is statically linked to the library. Its a workaround to DLL-Hell. Dot-Net promises a Linux like fix for it, but is not here enough yet, so Windows user have to get updates for every application on their system that uses the JPeg code.
Windows Update only benefits Microsoft's own applications. Does it even benefit Office, or is it Windows System only? Whatever - it doesn't help that non-Microsoft photo viewer you got with your camera. Did you remember to update all of the programs on your system that use JPegs?
The Linux Shared Library system was designed as a multi user system. Unlike Windows which, in the past was always single user to the core, and even now I think would load a seperate copy of each application and all its libraries into memory for every instance running, Linux shares library and even application code between running instances.
Thats how applications can be quoted as "10M RAM plus 2M per additional user". The JPeg library need only be on the system in one place, and need only be loaded into RAM once, no matter how many applications or even distinct users are using it.