Yeah, I'm sympathetic to the Ubuntu maintainers - at this point there are teams/companies which have built some server application/service on Ubuntu 18.04, and expect no backwards-incompatible changes for 5 years (the classic stable distro objective), but if openjdk-11 is updated from openjdk 10.x to 11.x then some stuff will stop working. I'm curious how they'll resolve it (and I think an additional half-year past the openjdk-11 release is reasonable, in the overall 5-year timeframe).
(Meanwhile, apparently, some users have come to expect an upstream release to get into ubuntu stable updates within 2 days ?!)
Stable linux distros have a long history of backporting security patches themselves - RHEL does this the most/longest, Debian and Ubuntu somewhat less but still a lot. They've given up on web browsers, but for most other stuff, definitely including java, they certainly can and do support what they have released. In the linked issue, it notes that they already have backported some security fixes that were in 11.0.1 to openjdk-10.
(Meanwhile, apparently, some users have come to expect an upstream release to get into ubuntu stable updates within 2 days ?!)