I presume most of the bigger Drupal sites are run by teams that care about security enough to follow security lists closely and have release management in place that would allow hotfixing within hours, if not minutes, of a critical vulnerability being announced.