[jeremyhu]

Upstream fixed the issue a couple days before Xcode 7.3 was released (and didn't even have their story straight about what version actually contained the fix). The fix was available in the 7.3.1 beta less than a month later, so I'm not sure where you get "months" from there.

As for the OpenSSH issues you mention (CVE-0216-0777 and CVE-0216-0778), those were fixed in OS X 10.11.4 months ago.

[0x0]

The git bugs were announced around March 15th (with some funny business going on with 2.7.1 and 2.7.3, before 2.7.4 came about). Debian released patches for git in DSA-3521-1 on March 19th, Xcode didn't fix this before 7.3.1 yesterday. That's about a month and a half. Beta versions of Xcode can't be used to submit to the app store, so they aren't useful because any serious developer will still need to have the latest stable xcode installed and probably set as default to not risk appstore submission problems.

Debian: 4 days to patch. Xcode: 50 days.

The openssh bugs were announced around January 14th. Debian released patches for OpenSSH in DSA-3446-1 on the same day. I guess Apple finally fixed it in OSX 10.11.4 which was released on March 21st. That's more than two months. Thanks for the heads-up, though, after two months with no patch I kind of assumed there would never be a patch.

Debian: 0 days to patch. OSX: 67 days