Why wouldn't Canonical simply update the repository with patches that address known security vulnerabilities?
"multiple critical security bugs for which no fixes have been backported,"
The summary answers your question. There are no patches that address the known security vulnerabilities.
it's up to someone from the Ubuntu community to step up and fix it.
If someone creates a patch, they are welcome to submit it, and maybe the package maintainer will apply it.