Its been like that for half a decade across all software. People act like finding a linux kernel bug is a big deal, completely ignoring the fact that in order to exploit that bug, the attacker has to be able to run code on your computer in the first place, which is extremely hard to do these days remotely.
Also people ironically just DGAF that much. The last actual bad exploit was log4shell in java, which given how it was introduced (i.e someone purposefully at Apache made it so a log statement can execute code, and nobody questioned it before pushing it to prod), should have been the signal for everyone to completely remove all Apache libraries from their services, but yet all the software is still being used.
These bugs are indeed important, you need them once you‘ve found a bug in an application.
If someone manages to get remote code execution at user space on a machine, the amount of damage that they can do with just that versus having a kernel level exploit is about the same.
Ah yes, just move away from all apache libraries, should only take a day or two.
No I agree, its a pain, but its necessary if you care about security and don't want to audit every single release for potential vulnerabilities. People don't do this, so they really don't care that much.