The reality is that reliable backports of security fixes is expensive (partly because backports are hard in general). The older a distribution version is, generally the more work is required. To generalize somewhat, this work does not get done for free; someone has to pay for it.
People using Linux distributions have for years been in the fortunate position that companies with money were willing to fund a lot of painstaking work and then make the result available for free. One of the artifacts of this was free distributions with long support periods. My view is that this supply of corporate money is in the process of drying up, and with it will go that free long term support. This won’t be a pleasant process.
Yes, fixes for CVE’s are back ported.
E.g. Debian 8 was released in 2015 and all support will be terminated in 2025 when there is no more Freexian support.
Currently, the release cycle is 2 years standard release 1 year support by the Debian security team, 2 years LTS support, and 5 years ELTS with Freexain, you get a total of 10 years support.
The problem is always going to be that after the first 3 years the support is not handle by Debian, and it doesn’t include all architectures of the original release, if you are using exotic hardware don’t expect to get the full 10 years you get with x86.