Morality and legality are not the same thing.
Although perhaps my previous comment went a little too far. I think its fine to not fix issues as long as you publish them so that users can make an informed decision. Where i think it would be morally wrong is if a project pretends it fixes security issues but doesn't or if it tries to cover them up - insisting external reporters dont talk about them while also having no intention of fixing them.
Basically i think open source projects (like everyone) have a moral duty to be honest and not try and decieve people, regardless of what the license says.
You make it sound like this is a common problem in open source projects, like they are trying to cover up existing issues, or claiming they are fixing security issues when they are actually ignoring. Do you think this is the case? Can you name a few projects where you noticed this?