More likely they have to regression test a whole ton of things, just in case, and do all the recompiling in correct order. I can't see anything actually depending on the bug, but making sure they don't screw up the patch is hard.
But a lot of programmers who have never done anything more difficult than mylamesocialstartup.com in PHP have no idea what it's like to build and test something as complex as an OS. No, recompiling your Linux kernel ain't the same thing.
It's not like iOS is some tiny little thing, but they got it out much sooner.
If their build process is so broken that it takes days to take the 10.9.1 tag, apply a one-line patch, and release it, then they're doing it severely wrong. Security problems happen, and you need to be ready to move fast.
Personally, if I was on that team and it came down to taking days to recompile and retest everything, I'd be seriously considering a binary patch as an interim fix. Take the actual built binaries, apply this one patch, and you know nothing else got somehow miscompiled or mislinked in the process.
If they need more than a day to recompile one library with a one-line change and see if it still boots and runs software update, then they have much bigger issues than this single bug.
It's now been 5 days PLUS however long they sat on this for ios.
They do have a bigger issue. The bigger issue is that they're releasing an entire operating system, with 15 years or so of accumulated cruft and process. And it's not just a one line change... they need to understand the implications of the bug across their system and create regression tests to catch all those corner cases, then do the "one line change" and properly regression test it everywhere.
Again, this isn't some little web site. This is a piece of software that thousands of programmers have worked on for more than a decade, millions of lines of code with a tremendously complex build, testing, release, and approval system.
And finally, Apple's primary concern isn't that a handful of customers might be exposed to risk for a couple of extra days. It's that they botch the rollout of a major security patch and have to re-release, or customers are victimized by new bugs as part of the patch. That sort of thing can cost them billions in market punishment.
What? It's a one-line, clearly understood bugfix. (The extra goto wasn't there in 10.8.x and that hasn't caused any problems) Rebuild the library, spend a few days regression testing at least software update so you can re-push another update, and ship it at the same time as the ios and appletv fixes!
You don't spend a week holding the fix hostage so you can fine tune a new os release with "improvements to autofill forms" in safari while script kiddies are running wild with mitmproxy.
Also I would think that a full ios+appletv OS release is much more complicated than an OSX release due to the way the mobile OSes are packaged (probably 10+ unique/model restore images plus delta downloads)
"No, recompiling your Linux kernel ain't the same thing."
You're right. It's not at all like Red Hat compiling and releasing a new RPM which they would push out in hours, max. It's actually much easier. Apple retains absolute control over their source code.
But a lot of programmers who have never done anything more difficult than mylamesocialstartup.com in PHP have no idea what it's like to build and test something as complex as an OS. No, recompiling your Linux kernel ain't the same thing.