Currently all my Linux vms are running under ESXi and I've got a physical > Xen migration going at the moment for older windows servers.

However, I'm slightly concerned at the (apparent, according to citrix forums) slowness of Citrix to update Debian kernels to fix vulnerabilities. How far behind are they normally and would I be better off (from a security pov) compiling my own patched kernels that I keep as close to the Citrix builds as possible?