The code was not originally written with security in mind and it shows. Now we do treat security bugs as bugs and _will_ fix them, eventually, but they're on the same schedule as any other bugs and feature requests, which is to say, realistically we do a real release once or twice a year.
Filing 20 bug reports will not make us respond any faster. Nor will filing CVEs or whatever.
Yes, I agree that it's not great that we don't get to these sooner.
But, realistically, _we just don't have the time and energy_.
The current schedule for stb lib maintenance is what works for us. The alternative is not "pay us and you get monthly releases". The real choice here is between either we update these libraries at all, at the leisurely schedule we do, or we abandon them entirely. Nagging us does not magically make us have more free time or energy.