Hello David,
If that formulation sounded disrespectful I apologize. It honestly wasn't meant that way!
Having a brief look at the homepage, clicking through a few links didn't bring up this page, with the link to the policy to me. So I think that link should be a bit more prominent. e.g. in the footer or maybe the "community" sub-menu. Finding it right now, is rather hard.
We had a public discussion over the last weeks which ended up in the initial version of the document [1]. The PMI already has a field for providing information about fixed security issues or if there where none, then this field should be filled with a short statements that there were no known issues at this point. It also handles the case on how to provide information without disclosing the actual issue, allowing for a controlled disclosure. I know that this step, of filling out the field, is new. It should ensure that this field is not simply forgotten, but filled in one way or the other intentionally. Tracking security vulnerabilities should still happen in the Eclipse Bugzilla as the Eclipse Security Policy states.
I consider the GPL issue rather important. As this issue (not the GitHub issue entry, but the issue itself) is now open since before Kura 2.1. And effectively it is not possible to re-compile Kura in the way it is distributed right now. But I guess it shouldn't be a big issue providing the sources in a reproducible way.