Stable linux distros have a long history of backporting security patches themselves - RHEL does this the most/longest, Debian and Ubuntu somewhat less but still a lot. They've given up on web browsers, but for most other stuff, definitely including java, they certainly can and do support what they have released. In the linked issue, it notes that they already have backported some security fixes that were in 11.0.1 to openjdk-10.