OK, so what about someone like me who installs SUSE custom, and SUSE, which has all services, well most of them, which would include X, shut down by default, then updated with all patches, and the thing hasn't booted yet. Upon boot up the machine is already locked down, updated and even hardened. harden_suse comes with it as well as the other, Bastill.
That's fine but there aren't too many "you's" around. And that's the problem. It's not people like you that make us cringe. It's schmucks like "Mr. rm -rf *" that make us cringe. They know just enough to be stupid and yet deadly at the same time. Give them an OS they think they know and don't really investigate, and disaster will still happen. E.g., Oh look. I can't surf. Ok. I'll open up and make the firewall allow all.

Hey, Suse can be hardened up the wazoo from the start but if the "culture of security" isn't there with the end user, it means diddly because they may reverse those hardened features or worse, install things that just break them.