Given our distro system, if we're really worried about hackers
sniffing commit logs, I would rather remove anonymous CVS access.

We can't do that. Many users rely on cvs access to deploy sites.

We can in theory shut that down. But what about http://drupal.org/cvs?

That way you stop the vulnerability sniffing all together.  Like I
said I know I'm in the minority here and don't really expect to
change your mind on this one.

If we shut down both, then it is no longer an open source project.

Didn't see any major project shut down like that.
 
I been involved with enough volunteer organizations to know that it's
always an uphill battle to manage workload.  I don't begrudge that,
but I try and keep my expectations tempered.

I really hope no-one on the security team is offended.  I mean no
such offense. I really do respect and appreciate the service that
they provide and yes, I do consult with them when I do my security
related fixes.

No offense taken at all, from you or from others. We are always open
to suggestions (and even recruiting for the security team!)
--
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.