Comment by Milpotel

What's so hard? A developer finds a bug, fixes it, publishes a new release at some point, done. Versus someone else finds a bug, maybe opens a CVE, bug gets fixed, maintainer might notice it, backports patch and fixes (or breaks) the package. The latter CVE case is the rare case, hence all the crashes. E.g. Busybox is famous for that. They have a plethora of security issues documented in their bug tracker. Sometimes they even get fixed but most of them never get a CVE, issues stay open and you can guess if it's vulnerable or not (usually it is, don't use it).