Earlier this month Pete Finnegan wondered whether we will get security patches for XE. Mark Townsend has now posted on the OTN XE Forum that Oracle intends to release fully patched versions of XE. Users will just install the new XE software over their existing install. This approach is deemed to be "easier than patching".
Given the target demographics of XE this is probably true but it will be interesting to see how this works in practice. This will presumably create additional overhead for ISVs who wish to customise the XE download (for instance by replacing the default seed DB).
Still, at least it looks as though we will avoid Pete's nightmare version of thousands on unpatched Oracle databases taking over the web.