Also, just hook up to yum and keep that test VM set updating daily.
EL has been so stable that I've had a good portion of the herd cron-yumming for about 20 years now. It's gone about 2% to shit since systemd and networkmangler and other useless fridge art, but it's still the easiest method to avoid 95% of problems.
You may not like the numbers, but 7 THOUSAND consecutive successful update runs is a decent enough track record for me. Make sure to needs-rebooting&&reboot on a decent schedule.
BSD boosterism is a meme, I know, but honestly this is the incorrect take.
Anything as large and complicated as a kernel has bugs. Some of those bugs may be security related. If security is your concern, you want to use the kernel which has people actively publishing those bugs so they can be patched.
The fact you haven't seen privilege escalation vulnerabilities in BSD isn't necessarily because they aren't there. We don't know that. What we do know is that not as many people are looking.
That's the goal of OpenBSD, to prioritize security and actively find ways to crack or break OpenBSD in order to consistently harden it to the point that people at DEFCON conferences have given up trying to hack it due to being such a lengthy process each time only to fail.