Currently, known packages with security vulnerabilities are penalized on Arch Linux systems, even though there is no update for them yet. Would it make sense to only penalize packages for which updates are available?