Of the big distros, I generally prefer Fedora over Ubuntu. SELinux is better than AppArmor, and systemd, while still rubbish (yeah it can do some neat things out of the box that SysVinit can't without some really good scripting, but it's so huge and unnecessary), is still better than Upstart. They're both fairly bloated, but it's easier to trim the bloat out of Fedora, imo.
Also, RPM used to suck a lot when dealing with dependencies compared with dpkg, as it lacked many features and didn't have anything like APT, but the format was still better than deb, and these days, the whole thing is better (though APT is still a better frontend than YUM). The average GUI-only user migrating from Windows won't notice any difference between either package manager, anyway (unless they hit a bug or start messing around with RPMs/debs from outside the distro).
Gentoo is the way to go, though! Whenever I use binary distros, I'm simply astonished at how much bloat gets pulled in whenever you try to install something as simple as a web browser (Firefox and Chrome/Chromium pull in things like gconf, which in turn pull in most of GNOME, etc), while with Portage, I can simply turn off a few USE flags to disable most unwanted dependencies, and if a certain package is still trying to pull some bloat in, I can just make my own local copy of the ebuild that turns off the offending feature (with EXTRA_ECONF) and removes the dependencies for it.
All the compiling isn't too painful either if you distribute it over all of your machines (with distcc), keep a compiler cache to speed up rebuilds (with ccache), and compile everything with optimisations that are generic enough to work on all of your machines so that you can use the same builds for all of them (with FEATURES=buildpkg on the machine that does the building and its DISTDIR/PKGDIR shared over NFS).
Gentoo's SELinux policy is a little bit unpolished (I just use the Fedora one and port over any necessary Gentoo-specific changes), but the support for PaX is very good (I guess SELinux and PaX on a desktop is a bit overkill though, and probably won't help much, considering that most desktop vulnerabilities are in things like browsers and don't even require code execution, or in binary blobs that have to be ignored by PaX to run in the first place).
The 'ifconfig' tool (which from net-tools) is obsolete btw, use 'ip addr' and 'ip link' instead (which is from iproute2). The only reason it hasn't been removed is because net-tools contains a few things that aren't in iproute2 and that don't have any other alternatives yet. Seeing as net-tools will be phased out entirely eventually, it's better to learn the 'ip' tool instead.