Not surprising. RedHat has a squad of people testing and patching the Open Source code which goes into the distribution. If you look at a particular package, like "foobar.1.0.5-12.i386.rpm", the "-12" in the version number is the RedHat Patch Level, and RedHat applies patches to everything.
As you've observed, people are not perfect, and all OS code has bugs. It is actually a good thing that RedHat is sending you all of those notices -- it means that someone is looking through that code, even if you cannot, and fixing problems -- that's what you're paying for when you buy a major distro.