We (OpenSSH maintainers) do check and merge downstream patches from time to time. It is something of a pain to trawl through the various (completely different) vendor systems for maintaining packages and I don't think it is at all sensible to have to depend on this to pick up security fixes.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds