Patch Auditing

We are currently using Satellite 5.6 and have a requirement to be able to report on how many unapplied security patches any given server has, mostly running RHEL6 with some RHEL5 and RHEL7. At the moment we do a normally quarterly patch cycle and clone out new channels with content up to date based on the end date of the previous cycle with exceptions for critical vulnerabilities.

The only constraint is that the report needs to be against the total number of patches released by Red Hat to date, not just those available to the server based on its channel subscriptions.

The main option we have considered is using the Audit feature within Satellite with OVAL and xccdf definitions, as described here
This works fairly well however it is dependant on having up to date definition XML files deployed prior to scheduling the audit and the total number of checked RHSA/CVE's seems to apply to all versions of RHEL, which seems strange logically but might be a side effect of a single definition file.

Does anyone have any other suggestions on how best to go about this?