Read what I wrote again.
The problem is that issues are fixed upstream without being marked or announced as being security related. Thus they never make any advisories, headlines, etc. And they don't get backported into the distro kernels.
You are utterly unaware of their existence unless you follow the kernel commits closely and are experienced at spotting potential security issues, and/or are in communication with someone who is.
See page 7 in https://jon.oberheide.org/files/source10-linuxkernel-jonoberheide.pdf for one of many mentions of this phenomenon.