Open Source Is Fertile Ground for Foul Play contains important security concerns. One part of the Total-Cost-of-Ownership will be, basically, open source code auditing, for those companies who go that route. No way to gloss over that. It is most certainly possible to inject malicious code into distributions, but you will certainly have to make it past the review systems of the packages/distributions themselves (including MD5 checksums, diff reviews, the rather efficient ways in which vuln information works its way around the open source community, etc.).
As more companies go the open source route, however, they will have an economic incentive to keep the code clean. For instance, MySql would have a big problem on their hands if something happened to the MySql codebase. RedHat would if Postgresql had a problem. Mandrake if KDE had a problem. Thousands of companies, if Apache, PHP, or Python had a problem.
Fedora and Win2k3 don’t have many because they are relatively new. Fedora for one will certainly have scads, hundreds, and you’ll get hosed if you don’t keep things updated (and as much as possible shut off and/or removed from the system).
One interesting aspect is that many vulns have to do with optional, separable pieces of the distribution. For instance, if OpenSSH has a vuln of a certain version, it will touch Debian, Slackware, RH 9x, Mandrake 9x, etc. etc., but obviously SSH might or might not be used on a system. Same for PHP, which is part of almost all the dists. But only a certain subset of installations use it for anything.
To apply this to RH 9.0: Many RH 9.0 vulns (Xpdf, mutt, sendmail, postgresql, ethereal, etc.) won’t apply, depending on what you’re running. But the idiot factor will be in play; if you install a dist but then don’t remove/turn-off what you’re not using, then you’re in trouble.
(P.S. Nice Response: Who’s guarding the guards? That would be us)