I guess I'm less concerned with the distribution system and more concerned with providing usable secure 'configs' for end-users. Regardless of the distribution system we should really go in and show what a stable / secure system consists of whether it be a php/apache server or an SMTP virus scanning server.