This week's appearance of another major security update for Mac OS X leaves me with mixed feelings.

One one hand, it's good to know that the flaws have been fixed; on the other, you can't help worrying why there were there in the first place and (in some cases) why they took so long to fix.

That latter point is particularly relevant to third-party and open source software that's included with Mac OS X.

When a security fix appears for Samba, Flash or some other non-Apple component, shouldn't Apple test that the change doesn't affect normal operation on Mac OS X and then push it out through Software Update in short order?

I'm not asking for weekly updates or anything like that, but security patches for open source projects are inherently public, and so there is a definite risk of exploitation.

And when a major vendor such as Adobe issues a security-related update for a component that shipped with the OS, is there any good reason why it should not be included in the next Security Update? Sure, it's a lot easier to install a new version of Flash than it is an updated version of Samba, but how many users know they should be looking out for updates.

As for the fixes for Apple's own code, why are previously fixed flaws (eg, the one that let Mail open an executable attachment without warning the user) creeping back in? And what's with the continuing stream of buffer overflow vulnerabilities? If individuals can discover them, why can't Apple staff find them first? After all, they have the benefit of source code as well as access to most if not all of the tools used by security researchers.

While I'm at it, why has it taken so long for security fixes that appear to have been included in Leopard only now being fed back into Mac OS X 10.4.11?

I know there are millions of lines of code in an operating system, but is it too much to ask for a concerted effort to purge Apple's software of any remaining potential buffer overflows, for example? Microsoft's big security push from a couple of years ago seems to be bearing fruit, with comparatively few patches now being needed each month.

I've resisted the 'security through obscurity' argument about the Mac's almost complete freedom from 'in the wild' exploits, but I'm getting increasingly nervous about the prospect of a major incident.

The bad guys seem to be able to compromise web sites that we'd expect to be safe, and we know they are capable of arranging things so the unsuspecting visitor receives an exploit matching their browser and operating system. Combine this with most Mac owners' reluctance to run any kind of of software beyond the standard firewall (and how many are disabled?), and a campaign against Mac users could have serious and widespread effects.

It wouldn't be a complete answer, but the more prompt release of software updates by Apple would be a step in the right direction. Longer term, perhaps the company needs to set more store on security and stability, and less on eye candy. The reflective Dock in Leopard is OK, but wouldn't you rather the resources needed to develop it had been devoted to fixing security flaws and integrating the latest versions of open source projects?