For 2008 and 2012 I added the HotFixes object as a part and simply do the following check
"Windows Hotfix:*MS14-066*" exists
For 2003 I added the Application object named: "Security Update for Windows Server 2003 (KB2992611) and do the following check
"Windows Application:Security Update for Windows Server 2003 (KB2992611)" exists
I used WMIC in an extended object and got a list of hotfixes by KB
Then created a rule checking that name = KB2992611
(edit: added command) WMIC qfe get hotfixid
This should basically do what Richard's solution will. Both are valid, do use what works for you.
Does rscd on the backend run 'wmic qfe' when the Hotfix object is accessed? Or does it use some proprietary method to obtain the data?
I was messing around with wmic qfe yesterday but had some console freezes when testing the object so I abandoned it and went with the solution described above.
Also is it Microsoft or BMC who doesn't list security updates in the Applications object for 2008 and 2012?