I agree with the sentiment here, but how do you intend to distinguish
  between two versions of a particular pre-compiled package with the same
  version number where one is secure and the other not?

I'm 99.9% sure that

  Everyone thinks PKGREVISION++ is appropriate for the package
  for which a security fix is applied, because bumping PKGREVISION is
  appropriate for any significant change.  Certainly the version has
  to change so audit-packages can function properly.

  If a package's ABI changes, then PKGREVISION should be bumped in
  packages that depend on the package:
  http://www.netbsd.org/Documentation/pkgsrc/buildlink.html#updating-buildlink-depends

The issue at hand is whether to bump PKGREVISION for depending
packages when there is a security fix but no ABI change.

-- 
        Greg Troxel <gdt@ir.bbn.com>