Provide as many tips and rules of thumb as you want. Sometimes, it's safe to modify code you don't understand. And then, those tips will help. But that all goes out the window when it comes to security code. If you don't understand security code, don't mess with it.

Excellent points here, especially the bits about the rationale behind patching major packages when maintainers should be taking the extra time to submit patches upstream instead.