For frozen distributions such as Debian, package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes (particularly for less popular software) do not receive a CVE ID at all and therefore do not make it into the distribution with this patching model. As a result, minor security fixes are sometimes held back until the next major release.
We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work.
https://www.youtube.com/watch?v=i8c0mg_mS7U