Debian discusses vendoring—again

Well, for multiple reasons, especially cost-related ones - most developers of FLOSS remain unpaid, or at least not compensated to amounts anywhere near the time they spend on it - very few upstreams provide updates to software releases in such a way that these releases would be suitable for 5 years of security maintenance for a distro (i.e. over 5 years of upstream security maintenance, given the freeze period and also the gap between the latest upstream release and the beginning of the freeze period). Also, many upstreams do not maintain a stable release series either.