Most of the maintenance I end up doing is security fixes in stb_image. These take a comically long time (often these stay open for more than 6 months).
I don't know what to say other than that stb_image has always had a note up top, which currently reads " Primarily of interest to game developers and other people who can avoid problematic images".
stb_image was _always_ meant for indie games and throwaway tools where you're in full control of the data.
The code was not originally written with security in mind and it shows. Now we do treat security bugs as bugs and _will_ fix them, eventually, but they're on the same schedule as any other bugs and feature requests, which is to say, realistically we do a real release once or twice a year.
Filing 20 bug reports will not make us respond any faster. Nor will filing CVEs or whatever.
Yes, I agree that it's not great that we don't get to these sooner.