I'm embarassed that I've only recently stumbled across Microsoft's "Security Reserach & Defense" blog: http://blogs.technet.com/srd/

It has some great information for what kinds of fixes are being shipped in updates and why.  For example, this post discusses a fix IE took to help mitigate the Safari carpetbombing vulnerability.  I wasn't aware of this change at all--it looks like a great example of reducing attack surface and doing the right thing for customers.