Debian (and others like Ubuntu, etc.) freezes packages for a long time and only backports security fixes that receive a CVE which misses the majority of them. Most fixes don’t receive CVEs because either the developer doesn’t care or because it’s not obvious whether a bug is exploitable at first.
Debian maintainers cannot analyze every single commit perfectly and backport every security fix. They have to rely on CVEs which people don’t use properly.
For example, the Linux kernel is extremely bad at this:
presentation-cve-is-dead/cve-linux-kernel.pdf at master · gregkh/presentation-cve-is-dead · GitHub
Freezing packages is never a good approach. Debian is a major issue and I really think we should switch.