The new audit-packages package is quite nice, and thanks for the work 
that went into it. I run it, and it tells me:

     Package pine-4.21 has a denial-of-service vulnerability,
     see http://www.securityfocus.com/advisories/2646

Yes, but pine-4.21 is the current version of pine. Maybe you can put 
a note in the NetBSD vulnerability list explaining either (a) where 
in pkgsrc to get the update or (b) don't bother to look, it hasn't 
been fixed yet.