I am a Linux user, which means that I expect to see announcements saying “users of [software]-versionx.x should update to versionx.y because the following exploit will make your system vulnerable in this way” The way WP chooses to do it does not make it safer (if I were a cracker, I would look at the bug-tracker).

Looking at the WP dashboard on my site, when 2.0.1 was released, there was a link to all the fixed things. 2.0.2 doesn’t have this – compare http://wordpress.org/development/2006/01/201-release/ with http://wordpress.org/development/2006/03/security-202/

The “bug” (alleged security issue) actually was fixed in 2.0.2 here… but that wasn’t the reason for the update (because it wasn’t a valid security concern).

As to what the update addresses:
SQL injection, XSS and CSF loopholes that were discovered internally, as well as a few miscelaneous non-security-related bugs (like the one in changeset 3584).

See here for the whole list of what has changed in the 2.0 branch.

I understand your concern with regards to openness… but considering that there was no public knowledge of these security bugs (and thus, no instances of them being exploited), it wouldn’t make sense to explicitly describe the security holes when the new version is offered. That would only give the script kiddies a head start. This way, the public knows that there are security issues being addressed, and that the upgrade fixes them, but any would-be exploiters have to actually work to figure out what they are.

It’s not that the bugs are being hidden… they’re there for everyone to see in the links I just provided… they’re just not being advertised in explicit detail just yet.