and my impression of their response to security issues is of a grudging one.
Ho, ho, ho. Perhaps you formed this impression by the number of times they've gotten reports of a security problem, and then sat on it for an inordinate length of time until someone got tired of waiting for them to get off their duffs and publicized it? :-) Strange how quickly they seem to be able to develop, test, and deploy fixes after someone turns up the heat.