Can someone please tell me how to verify that yum repo's are getting updated lists? The results of running 'yum update' keep getting shorter and shorter, with some servers not getting pinged for any updates at all. Out of 20 RHEL servers, only 6 came back as needing updates installed (checked monthly).

The repositories have many many packages but what YOU get in "yum update" are only those packages that are relevant for what you have installed before the update. That is to say if you do not have for example BIND installed then a yum update won't install any BIND updates even if there are a dozen of them and you really don't want it to do so.

That makes sense. So when you run 'yum update' does it check a local list on the machine, or does it reach out to the repo's on the Internet, where it would download them from? We got a security warning the other day from our Customer about needing to upgrade httpd to 4.4. When I checked we only had 2.2 installed and running 'yum update' returned a 'No Packages marked for update'. That made me wonder if other packages were not being update and prompted this post. Your point above makes sense, but apparently 'yum update' isn't updating everything, because httpd was already installed but not marked for update

Have you checked online if your distribution and installed repositories actually provide httpd 4.4? Some of them do not necessarily have all the fancy new versions included but focus on stability. If your installation features httpd2.2 it might well be the case there was no need to fix a bug in httpd4.4.
I don't know about this httpd4.4 case, but I remember there were some security advises out there a while ago about cups, but e.g. RHEL just did not provide fixes/patches for these issues. In such a case you have two options: Stay with what's provided by your distro and trust the distro maintainer or install the patched/fixed version from another repo or compile it yourself. It always depends how critical your application is and where your focus is.

The way RedHat does it is to use a certain base package (e.g. httpd 2.2) then to modify that base with bug and security fixes and put their own versioning on the result. Often these bug and security fixes are backported from higher base versions.

For example:

httpd-2.2.3-22.el5_3.2

Is based on upstream version 2.2.3 of httpd. RedHat then has modified this for RHEL5 (as noted by the el5) and everything after the 2.2.3- relates to RedHat's version. You could then check your version at RedHat's site to see exactly what bug and security fixes they may have incorporated into it. It may in fact have backported security fixes from httpd-4.x in it (but only if they're relevant to the 2.2.3 base).

Generally speaking scanning tools do NOT pay attention to RedHat's extended versioning so will often falsely report you are vulnerable even though you have the latest security and bug fixes. Usually it is best to simply modify things like httpd and php that get scanned so they do NOT report a version at all. It saves you much grief in the long run as you don't have to keep explaining that you ARE patched correctly.

The RHEL5 repositories won't have httpd 4.4 for the reasons noted in the post above. However, this does not mean a vulnerable version of httpd is being run again for the reasons noted above.

I'd also query 'httpd 4.4'; exactly which httpd server is this supposed to be?
The default one on RHEL is Apache and they're only up to 2.4.3 https://httpd.apache.org/

But RHEL5 is NOT up to 2.4.3 as explained above. They only up to 2.2.3 (base). Typically RHEL doesn't change base versions until they change the RHEL major version. (For example RHEL6 uses a base of 2.2.15.)

I know, I meant Apache is only up to 2.4.3. What I was querying was httpd 4.4 (!) ....