> but a higher risk that you'll get stuck with an old bug waiting for the maintainer to pull in a patch. Then there's the risk that in their attempt to cherry pick, they don't actually mitigate the issue

Which is why the whole process is open sourced and you can get easily the source version of a package, edit it and rebuild it.