So if the maintainers haven't done something, we should assume it's upstream's fault for not making it convenient enough for them, or not prompting them enough? For every distro that has packaged their code?
There are real downsides to the maintainer system - it creates a lot of extra, uninteresting work, and frequently no-one's that interested in doing it, especially for smaller packages. That's why there's so much interest in other models.
To give another example, if you install jupyter-notebook through apt on Ubuntu 18.04 today, you get a version with a security issue (CVE-2018-8768) that upstream released a fix for months ago. Package maintainers are not making anyone safer there.
It's everyone's fault. The upstream, the maintainer, and the users. The first person who becomes aware of an issue should take steps to resolve it. By distributing this along everyone you make sure that there's enough hands to do the work and people can specialize in supporting the packages they want to work on. Maintaining a package is not hard.
This isn't some hypothetical, for the record. I'm explaining how this actually works in practice.
The package maintainer system doesn't add additional people to share the same work, it creates additional bits of work for different people to do. Upstream can release a fix, and it doesn't get propagated to people on distro X because the package maintainer for X is busy with work, or is a parent now, or just isn't interested in the package any more. And if one proactive maintainer patches an issue, it doesn't help users on all the other distros, or users who get it directly from upstream.
You're explaining how this works in response to concrete examples of where it hasn't worked. I understand how distro packaging works for some packages, but I've seen it fall down too many times for others, especially more niche things.
There are real downsides to the maintainer system - it creates a lot of extra, uninteresting work, and frequently no-one's that interested in doing it, especially for smaller packages. That's why there's so much interest in other models.
To give another example, if you install jupyter-notebook through apt on Ubuntu 18.04 today, you get a version with a security issue (CVE-2018-8768) that upstream released a fix for months ago. Package maintainers are not making anyone safer there.