I read a comment once that enumerated all the ways even spinning your own linux distro is doomed to fail. It's far more work to properly develop a distro for security and if your distro is just "Ubuntu minus stuff I don't like" then you aren't really maintaining anything that couldn't just be a script you have people run on base Ubuntu.