Maybe it is just because all zope.org security alerts where promptly posted on the usual sites (like RedHat's or SuSE's) and people were not able to judge the importance of those.
I believe this is the problem: - we see a hotfix which fixes an obscure security problem in an unusual situation. Mostly related to allowing trusted users access to create stuff (a la Zope.org). Most sites do not do this and most security patches are of little importance. - this hotfix gets reported on Zope.org and thanks to the wonders of syndication and RSS is reported on numerous sites. There was an old article on this (http://www.zopezen.org/SDot/983385083/index_html). Everyone thinks Zope is insecure and hence people see all these security patches with Zope in them and think its insecure. Im not sure how to solve this or educate people. Cheers. -- Andy McKay.