CVE

An awful lot of the work is done 'best effort' and/or for free... People will flag patches as fixes when they upstream them into Linus' tree, which will automatically get them cherrypicked into supported LTS'es, but if they don't cherrypick cleanly, they'll likely just get skipped (unless the conflict resolution is absolutely trivial) by the LTS maintainers. A lot of developers will not do the extra work (to manually resolve the conflicts), unless there's devices they use that are running an old affected kernel. For me personally that used to mean 5.10+ but it now finally means 6.1+.

Additionally sometimes security fixes are in userspace, but build on kernel functionality (think LSM, sandboxing, etc), and older kernels may simply lack the required support. Usually these fixes just don't function (and effectively self disable) if they run on too old kernels. Imagine something that locks stuff down tighter using BPF LSM - if the kernel is too old to support BPF LSM, it simply won't do anything.

Then you've got people taking the 4.19 LTS and backporting it to the no longer support 4.14 LTS as unofficial extended LTS [ for example https://github.com/openela/kernel-lts/tree/linux-4.14.y ], but these are even more of a lie than the now abandoned 4.19 was.