I still don't buy the excuse. Stallman created patch and they should be able to use that. Granted it may not affect most people but it is still a security flaw and needs to be addressed now, not on MS bugfix time.
Even though I understand their thinking (and obviously don't agree) it is at the least very bad for PR. Explain to your next client that you are trying to convince to leave IIS/SQLServer,MySQL or even Oracle, that PG's developers determined they don't want to fix buffer overflows, and if you get DOS'd or cracked it is your problem.
Security problems need to be fixed rapidly, this isn't another feature being added.
I certainly don't hold Oracle (unbreakable?) as the standard for security.