Comparing distro package version numbers to upstream package version numbers
isn't the correct way to determine if a security vulnerability exists within
distro packages like this. Assuming that a program contains a security
problem they are commonly fixed by backporting only the actual security patch
itself and leaving it at the same version.
An example is this here:
https://www.debian.org/security/2020/dsa-4611
Debian fixes it in version 6.0.3p1-5+deb10u3.
And so: Someone that only compares version numbers would see "Oh noes - I
have 6.0.3p1 which is less than 6.6.2p1 and so I am still vulnerable" when in
fact they are not.