I can't help but wonder why security reviews aren't standard practice. Surely enterprises would be willing to pay for that? You get the default releases as they are today, then a second line that get a "security reviewed" certification released at most a few weeks later.

Of course the problem there is that security audits are fallible. Some issues are so subtle that they are only revealed years after they're introduced, despite them being open source and subject to potentially all the tools and eyes.