We (OpenSSH maintainers) do check and merge downstream patches from time to time. It is
something of a pain to trawl through the various (completely different) vendor systems for
maintaining packages and I don't think it is at all sensible to have to depend on this to pick
up security fixes.