You can contact Apple about this at product-security@apple.com (or you can open a Radar report if you're a developer), or you contact the maintainer of the package.
Often the mail addresses can be found in the README (or AUTHORS) of the source code, or on the project's website.
Yes - both Apple (specifically) and the open source developers (in general) do reference CVE in patch and security emails and participate using that mechanism for tracking reported vulnerabilities.
Edit: Better Option
I found AppFresh, which seems to do exactly what you're looking for, using a bunch of different sources, including Apple Update, Sparkle (which a lot of 3rd party apps use to push updates), Microsoft Updates and more. It also has the option of installing the updates right from the app.
Original Answer
MacUpdate offers RSS feeds of updates to all the software it tracks. You could use that, with something to filter for items matching software you have installed (Yahoo Pipes) might be useful for that) to give you a list of updates to any of your apps.
It's probably not a comprehensive solution depending on the obscurity of some of your apps, but it's probably the closest you'll get to a single source.
The other alternative might be creating a script that periodically checks provided URLs for all your software for any changes, then notifies you in some way.
Best Answer
The closest thing I know of is HackPorts.