I got both at the same time because I checked email and Drupal.org about the same time.  Simplenews sends email for x time per cron run.  The Security list is sent via Simplenews to allow for integration.  In reality, there is no secure method to ensure that 'legitamte' site admins get notifications before hackers do.
 
It's a shame you are disappointed.  Please coordinate OFF LIST with the security team for a model you think would be more better faster stronger.
 
 

From: development-bounces@drupal.org on behalf of Darrel O'Pry
Sent: Mon 3/13/2006 3:45 PM
To: development@drupal.org
Subject: Re: [development] Re: [support] Drupal 4.6.6/4.5.8 security releases

On Tue, 2006-03-14 at 00:24 +0100, Alejandro Exojo wrote:
> El Martes, 14 de Marzo de 2006 01:03, Gerhard Killesreiter escribió:
> > are now available. See drupal.org/node/53524
>
> It's a problem only here, or the list where the security advisories are
> supposed to be sent, is completely useless?
>
> By pure luck, I've checked my news aggregator, and I've found the new release
> which fixes 4 security bugs, but I haven't received _anything_ from the
> mailing list yet (which I check a lot more often).
>
> I'm really very disappointed about how the Drupal project is handling releases
> and security advisories. IMHO, it's the worst "big" free software project in
> this regard.
>

Wow, that whole lag between notifiction channels... I can see the script
kiddies firing up their bots trying to exploit sites between when the
notifications are sent on the dev list, posted to drupal.org, and sent
to the security list...

.darrel.

--I think I'm in a slightly sarcastic mood today.