Distribution maintainers are also the people that pushed out a fix as quickly as the compromised version was released.
It's unrealistic to expect software to never have security holes, bugs, or vulnerabilities. How they're handled matters more than the fact that they were introduced to begin with.
Ask the bottles team how they feel about maintainers and the job they are doing.
A fair number of upstream developers are unhappy with what maintainers and how they deal with bugs and updates.
The real problem is that software packaging and distribution is so very broken. I had a systems admin say "I love containers, they are a circle of salt around demonically bad software"... He wasnt wrong.
It's unrealistic to expect software to never have security holes, bugs, or vulnerabilities. How they're handled matters more than the fact that they were introduced to begin with.