The note at the top of the page state:
"Oracle is really slow in fixing security issues. For our security issues it takes 356 days until Oracle provided a fix for the reported issues. Many issues were fixed without informing their customers"
This figure of 356 days I think refers to either those advisories with no specific number of days to fix or it could be an average (Alex?)
The worse figure quoted by Alex is 656 days for the bug "Buffer Overflow in Create Database Link in Oracle8i - 9i". This is not really on!, why should it take almost 2 years to fix a bug in any software, especially a security bug.
Finally on Alex's "Upcoming Security Alerts" page there are no figures of days to fix, as they are not fixed yet but it does not need too much math skill to see that there are quite a few reported in 2003, the earliest July 2003.
Oracle has made great advances with their advisories content. I hope that they will improve on the number of days to fix security bugs as well.