I think there are two parts to this, both of which are required for either to have real impact:
Users need to be able to check whether they are affected by an announced bug. Whether this is by mailing list, subscription or some other system, a temporarily grounded fleet is better than lost hardware or damage liability.
Users need to have access to stable versions that have the critical bugfixes backported, else they will keep private branches with their bugfixes on it instead, leading to fragmentation, since they won't be able to justify upgrading to latest releases.
I think we should start with 1. , using the simplest system we can think of which isn't too painful. Perhaps a mailing list, and an email template which should be filled for critical issues explaining the scope and who is affected. If there are subscribers and this is successful, it can have some infrastructure added, eg. a bot that looks for tags and requests filling a google form, or more.
Item 2. is more of a maintenance issue, I think this is already a medium-term goal, correct?