As said on irc: 1) I don't want to ship the package in Buster if the security team can't handle security updates 2) I don't want security team to handle them, I'll in case provide them the stuff that can be sponsored (as we did in the past).
In case the new micro releases are not ship anymore by upstream, we can declare the security support as finished. So, my solution is "best effort security updates", but only if security team is ok with this approach. G.