I dislike that they do not segregate out security releases from bug fixes from feature creep.
Drupal these days basically does it as follows
- new features = major release
- bug fixes and security releases only for current version
- security releases segregated and notified differently than bug fixes (i.e. you can choose to receive upgrade warnings only for releases that include security items).
- modules fall under the same notification system - so I only get notified of upgrades for modules with *security* problems.