The contributors to nixpkgs for the most part, the whole thing is on github and it's one of (if not the) largest Linux package repo of any distro. You can override defaults easily. Security updates are handled by updating your nix channel and rebuilding the system, or updating your flake and a rebuild (if the maintainer has released a more recent version, if they haven't you can make an overlay and bump the version, add your own patches to the build or 'derivation'. Rollbacks are baked in until you remove them from the 'nix store'. You can configure all the things!