As I pointed out in a comment to an earlier Register article on the topic of maintenance releases: we *always* make maintenance releases every 3-4 months, which contain bug fixes (including security fixes). This release does not contain any new security fixes, only those which had already been publicly disclosed. In addition, the Xen Project does not make binary releases. It makes source releases which are consumed by distros and commercial products and services. The vast majority of Xen users do not use Xen directly, but use a distro, commercial variant of Xen or a Xen based service. Only a small number of users builds and uses Xen from source.
Some of the commits, which have been highlighted in the article are of course XSA's : for example "xl: Sane handling of extra config file arguments" includes XSA-137. This is also an excellent example, which shows how we review older code after an XSA is discovered and harden it. The number of fixes in a maintenance release, is well within the normal range for similar sized projects or products. If it is higher, than this is a reflection of the needs of different vendors and distributions who request backports of specific bug fixes for their own convenience to avoid having to carry large patch queues, in accordance with our maintenance release policy at http://wiki.xenproject.org/wiki/Xen_Project_Maintenance_Releases