It means that there are bug fixesall the time, but most of the time no one sorts these into "security" and "non-security" categories.
I remember a message (I can't find it back right now) where this is explained. Basically the thinking is that a lot of bugs can be used to break security, but sometimes it takes a lot of effort to figure out how to exploit a bug.
So you have some choices:
* Research every bug to find out the security implications, which is additional work on top of fixing the bug.
* Mark only the bugs that have known security implications as security fixes, basically guaranteeing that you will miss some that you haven't researched.
* Consider all bugs as potentially having security implications. This is basically what they do now.
I remember a message (I can't find it back right now) where this is explained. Basically the thinking is that a lot of bugs can be used to break security, but sometimes it takes a lot of effort to figure out how to exploit a bug.
So you have some choices:
* Research every bug to find out the security implications, which is additional work on top of fixing the bug.
* Mark only the bugs that have known security implications as security fixes, basically guaranteeing that you will miss some that you haven't researched.
* Consider all bugs as potentially having security implications. This is basically what they do now.