Well, Greg or someone on the stable team will have to answer that, but the
stable team's job as I've always understood it is to aggregate changes
that other people send them that might have stability impact and release
them, *not* to engage in analyses of those changes. If the original
committer doesn't say that something has security impact, there's no
guarantee that anything will in the stable tree either. It's not as if
they're getting paid for doing this (and I'd appreciate it if you didn't
annoy them so much that they stopped doing it: having no stable tree at
all would be much worse than having one without CVE info).
Maybe this is not ideal but, as far as I know, it's the way things are.
(If I'm talking rubbish, someone who knows will doubtless comment.)