Re: RHEL
"I'm not convinced that what you don't see won't hurt you is a practical philosophy"
That's not what I said or proposed. If you have a known vulnerability, a patch or upgrade being the only solution, then you have to take the risk that you are not adding new problems unless you have the time and ability to fully scrutinise the source code of the patches or upgrade.
Is the risk that an upgrade or patch might introduce a new and as yet unknown vulnerability higher than fixing a known vulnerability? I'd say no.