"Quite a lot of security issues are fixed in the upstream Linux kernel without a word about their security impact."
Some examples dipped in truth sauce, if you don't mind. I don't believe you.
[I did read about ONE kernel vulnerability in El Reg within the last week or so. It certainly did not get fixed "without a word". In fact, there were a LOT of words, including some security notices.]
I'd say this goes into the "just because you say so does not make it true" bin. I've seen plenty of THOSE that poke at Linux, attempting to say it's "as bad as windows" and "look at all of the security problems" and other FUD. Sounds like something Ballmer would say [no, wait, he DID say!].
In any case, it has been my observation that most of the security problems in Linux have very little to do with the kernel, and a LOT to do with some of the applications running on it. Some of those applications/libaries may even have windows versions (especially media players and browsers).
And the problems with the "[cr]app store" applications with built-in security nightmares is the app store's fault, not Linux [even though Android OS _is_ a type of Linux].