Are security.ubuntu.com updates eventually merged into normal updates?

Short answer: no. Security updates never become "recommended" updates.

• security.ubuntu.com is the same as archive.ubuntu.com (try pinging both and checking the IP they resolve to)
  • Compare the contents of security, and archive

• What matters for critical security updates is the -security repository, which is carried by all mirrors (e.g. precise-security)

  • The only reason I can think of that Ubuntu keeps using security.ubuntu.com instead of your local mirror is to minimize the risk of any problems if that mirror does not regularly sync to the master repository
  • If your mirror is updated regularly, you can just add/edit a line such as:

  deb http://xx.archive.ubuntu.com/ubuntu precise-security main restricted

From the official repository description:

• "Important Security Updates (lucid-security)". Patches for security vulnerabilities in Ubuntu packages. They are managed by the Ubuntu Security Team and are designed to change the behavior of the package as little as possible -- in fact, the minimum required to resolve the security problem. As a result, they tend to be very low-risk to apply and all users are urged to apply security updates.
• "Recommended Updates (lucid-updates)". Updates for serious bugs in Ubuntu packaging that do not affect the security of the system.

Security updates can and do become recommended updates.

From the Ubuntu Security Team FAQ:

While packages are copied from security to updates frequently, it is recommended that systems always have the security pocket enabled, and use security.ubuntu.com for this pocket.