Security issues are taken seriously and we need to know about them. We have a Responsible disclosure policy to make sure security is dealt with in an organised fashion.
Institutional Builds provide a mechanism for your organisation to setup a ReDBox/Mint distribution that is tailored to your needs. Once you've downloaded and tested the "generic" ReDBox and Mint distributions you may want to add and/or develop features. Institutional Builds use the Apache Maven to add in extra features and tweak your system as needed.
Details for creating a technical build can be found in Create your own Institutional Build. We have some institutional build samples that you could use as a starting point.
It's not mandatory by any means - a lot of things can be achieved through the system configuration and branding. We'd recommend using an institutional build though - it makes upgrading a lot easier.