The alternative is that following a CVE issue everyone's box gets a (hopefully fixed) version of the vulnerable package even if they were not running in previously.
The real point of using Provides is simply to give a definitive label that a package contains a backported fix for a particular named security issue - not that a package is or isn't vulnerable to an issue, and not to help keep a system up to date with security issues, or help enforce any security policies - Project like OVAL (http://oval.mitre.org) are designed to do that sort of thing. The Provides would go away once the backported patch was removed (due to moving to a newer upstream version etc)
Right now to determine if a particular issue is fixed you need to search the changelog, and if nothing is mentioned, unpack the SRPM, then look in each of the patches to see if the CVE name is mentioned, and if not if the patches included vaugely matches the patch for the issue. We do this in our pre-release audit - packages are horribly inconsistant.
Mark
