In my personal opinion it would be a good idea to have a security tracker.
Given the sensitive nature of security issues as has been mentioned by Linc, and I agree, security issues need to be submitted confidentially amongst trusted parties.
This has be happening quite well recently. However there lacks a formal process, and critically a tracker to keep track of outstanding issues, and interface for which to do it.
Not only is important that security issues are address in a timely manner. It is also import to be seen to addressing these issues (with divulging the sensitive materials).
I'm not proposing a bespoke solution, but to to search for existing software that would fit the bill. Something that allows the person who has found the security exploit to submit that information, to be shared.
Where I think the being seen to care would fit in, would be (perhaps controversially), to grade the open security issues and then declare then information publicly. I understand this is a big deal, but on the other hand it provides confidence that things will be dealt with, and I think they will be dealt with in a timely manner.
This shows trust, and this should be hopefully reciprocated.
Also formally making people aware they need to update, in core would be a good feature to have eventually.
grep is your friend.