The old-version-in-Debian problem is, at root, that https://www.infradead.org/openconnect/download.html says: "The latest release is OpenConnect v9.12 ... released on 2023-05-20".
The Debian maintainer is, reasonably enough, simply packaging the latest official release of this extremely security-sensitive network-facing highly-exposed bit of software. The "right" solution is for the openconnect project to make a more up-to-date official release. If there is a fork with more recent marked releases that you think Debian should switch to, that should be discussed with the Debian maintainer with an eye towards persuading them. Such a fork could be created if necessary, but it would need to have at least some "mind share" to be a plausible alternative. Taking a bird's-eye view, it's clear that the openconnect project is under veery active development, has many unresolved issues on the gitlab clone of their development repo, and for some reason has not seen fit to make an official release yet. Maybe they have a reason for that? They seem to know what they're doing. Perhaps raise this as an issue on https://gitlab.com/openconnect/openconnect/ ?
