It seems that Linux patching doesn't allow a great deal of definition. VPC just compares the packages on the server vs what is in the repository. This can include non-security related patches. Is there a way to lock patching down to just security related items?
Look in the VPC User guide - there is an 'analysis type' option that should do this.
typically though you get stuck in 'rpm hell' anyway and end up applying many rpms to satisfy dependencies.