Version numbers aren't that relevant for Red Hat's packages, because we backport security fixes (and features) into the older versions. And yes, customers prefer it that way.
Through the vulnerability scanning I do at work, our tool marks a lot of things just based on version numbers. Looking into them deeper, I see the backported patch has been applied. RHEL does a pretty good job on this, really stands out. Makes my vulnerability scanning a little more time consuming, but frees up time I would otherwise be spending on documenting security breeches and data loss.
Ok, I don't really have a problem with how Red Hat do things. However, if I was employing a sysadmin to administrate my servers, I want the latest production software please.
If you're worried about security updates, Red Hat monitors dozens of channels and backports all security fixes to all supported software, so that's not a problem.
If you're worried about features, Red Hat selectively backports features at customer request, or gives the customers free updates to the new RHEL.
Our customers want to install a particular release of RHEL and have it work and supported for 10 years. They actively don't want random version upgrades (which often remove as many things as they add, as well as causing exciting new bugs).