I guess we're having a fundamental disconnect on what "production" means. Production doesn't mean fast. It means stable, and the kind of stability I'm talking about is a year without rebooting. Gentoo simply does not have that kind of reliability, as you'll see in a moment.
The reason Gentoo seems so fast for responding to security is because it's often grabbing things directly from an untested CVS. Distributions like RedHat and SuSE test the packages a _lot_ before releasing them. I think it should be fairly obvious which method is going to be better for a real production server.
And, for the record, RedHat releases security fix RPMs _fast_. These guys responded to the sendmail flaw within 48 hours. That's not bad at all.
Dare I ask what these "production" servers are for?