Your citation of the Debian OpenSSL fiasco is a bullshit example.
As was widely reported at the time, Debian's package maintainer *did* take
the patch to the documented upstream development list. Communications
took place, but went awry, with each side not completely understanding the
other. Ben Laurie later waded in to cluck that distributors suck, and
that the patch should have been sent to the list that all the cool OpenSSL
upstream kids read. (The existence of said list was a well-kept secret
from the general public until the bug in question blew up in Debian's
There was lots of fail in the Debian OpenSSL situation, but failure to run
a patch by the upstream developers was not a component of it.