No, I don't believe that's the case.
> Linux distro vendors provide a contractual relationship with their customer base that provide SLA's around patching security defects and bugs.
I don't think many - if any - GNU/Linux distro vendors provide anything like that.
RHEL may - it's been a while since I've read a RH contract - but most distributions, as noted by parent, make it quite clear in the licence agreement that everything is provided as is and is sold without any warranty or assurance of suitability etc.
> They also enforce policies around uptake of new third party code.
Is third party code here the same as 'upstream' in the first take? 99% of most distributions code is 'third party' or 'upstream' in the sense it comes from people other than distribution maintainers.
> They also do extensive patching of all of their packages to mitigate the vulnerabilities that upstream providers do not patch.
I know Debian does this, and I trust them with the process. I'm not a big fan of RedHat, but I also know they have an excellent reputation on this front.
It doesn't change the fact that licences clearly put responsibility on the user not the distributor.