Does Google still patch the stack (kernel, web server, interpreter, database, modules, etc.) whenever security issues are discovered? I always thought that was one of the best bits of the App Engine model.
Currently we patch all the software on the VM, but not the application container itself. We make new base images available, but the user has to re-deploy to pick up these changes.