Their model matches standard industry practices. You can do this with any other project, open, or closed.
You are an embedded developer, we get it. You guys are infamous for your level of security
Not everybody enjoys the same luxury, though. Some software needs to has less bugs than industry average and has to face severely adversarial environment, such as just about any network or a multi-user machine for example. I was under impression that OS kernels do belong to this group.
I disagree about every other project, open or closed. For starters, you wouldn't even be able to submit patches like that to Windows. And even if you did, say by including them with an email to security@microsoft.com warning about a 0-day you just found, something makes me feel that they would review your fix quite thoroughly before shipping it.
And remember, Linux is the guys who used to laugh at Microsoft 10 years ago.
It's simply pathetic, there is no excuse.
edit
It's doubly pathetic because I still have seen no evidence nor admission from the submitters that the patches which actually made it to stable kernels
were malicious. Remember, the deliberately malicious patches have been "outed" by the submitters themselves as soon as they received approval on the mailing list.