Also in terms of security, Oracle's "forks" are decades behind. They managed to make RedHat unsecure with their own dogshit changes.
There are so many CVEs for Oracle specifically that are just bad default usernames and passwords, where they still dispute the CVE reports because it is "intended behaviour".
RHEL also introduced some.... interesting changes few times, like re-enabling ciphers removed from upstreams because their clients needed them for something.
I remember our amazement on how we failed audit on having a cipher enabled in OpenSSH version that had that cipher removed in upstream...
I always have to chuckle a little when git tells me that Azure DevOps is too unsecure to connect to because of a deprecated cipher they still use today :D
Losely related: I've audited so many BSD instances that were using MD4/NTHASH in their passwd and shadow files because they wanted to keep compatibility with their Windows infrastructure... it's stunning to see what is still possible in terms of misconfigurations. Things that should have been removed a long time ago.
The neat thing about RHEL is that there's a single 'crypto-policies' package which configures available TLS versions and algorithms for everything in the system: TLS, SSH, IPSec, DNSSEC, Kerberos and so on.
Regarding SSH, the FUTURE policy removes AES128, HMAC-SHA1 and DH Group 14.
