This is a serious argument against distro packagers playing developers.
In my opinion, a packager should NEVER, EVER patch something. If it doesn't work, complain to upstream until it's fixed. If it's not fixed, drop the package or revert to a previous version. The case of security fixes is not different.
But that's just my opinion, of course.