Well, reading that thread, he fixed every vulnerability in the helper utility that had a demonstrable exploit. Some of the others he didn't fix because they were not easily exploitable: keep in mind, the utility was only used if the core os functionality was not present. That whole thread came across as "I am a security researcher who gets paid lots of money to find CVEs so you should listen to me" and Kovid taking issue with that attitude.