[PeterisP]

Since simply updating the dependency can easily break the resulting package, this need to re-test is not something that can be avoided by making some other choice of packaging e.g. the current one - it's not adding a new burden, it's acknowledging that it already exists (indeed, IMHO much of what the original article complains about). If there are no resources to carry that burden, then the only option seems to be to wait for an updated release from the upstream, whenever that arrives.

[goodpoint]

I wrote "The burden of updating". Testing still needs to be done but there's a lot of automation to minimize the workload.

> If there are no resources to carry that burden, then the only option seems to be to wait for an updated release from the upstream, whenever that arrives.

No, most upstreams do not backport security fixes. And switching to a newer release is not an option if you want to provide stability to users.