Red Hat and Superseded Patches

BigFix patch policies by default exclude superseded patches. I just noticed that for RHEL patches that some security updates get superseded by bug fixes. For example fixlet RHSA-2023:6368 gets superseded by RHBA-2023:6734 (a bug fix)
If you were to only select Category “Security” when configuring your patch policy then am i correct to assume that the CVE’s that are addressed by RHSA-2023:6368 would never be remediated since the patch policy is not including bug fixes?

Thats correct ! WebUI patch policy is designed that way.

There is no other choice if you want to use superseded patches than the traditional approaches of direct patch or baseline deployment.