With the choices of vendors available (Red Hat, Novell, or Canonical/Unbuntu), there are only two that do a great job regarding the customization for enterprise-ready systems; Red Hat and Unbutu. With these distribution-specific kernels, security issues that are related to them vary. With that now mentioned, you may not want to do a recent security update as soon as it comes available, as it may not be needed in your network environment. The main thing that cannot be stress enough (with both vendor –specific distributions & stock kernels) is that updates need to be thoroughly tested within a “test” environment. Prior to testing, a plan needs to be written up and discussed so that all possible threats are exposed to the system, so that these can be confirmed as mitigated. The key is to test, test, & test the updates prior to rolling them out to a production environment.
Stock kernel would be the other choice, but it is not recommended due to the amount of information needed to be sorted through for the specific needs of the banking infrastructure, when doing a security update. This would be extremely time-consuming as not all updates are security specific. The individual would need to sort through system software that is used, as well. Security issues that affect one system could very easily affect a related system (eg. network hardware).