Will be interesting to see how the new process[1] plays together with "participation in stable is optional for mainline developers" and the "developers almost never declare specific changes as security fixes"[2] approach I assume still holds true for mainline.
I sounds like it could easily happen that someone fixes a security bug in mainline w/o telling anybody, so no CVE would be issued unless someone backports the change.
[1] https://lore.kernel.org/lkml/2024021314-unwelcome-shrill-690e@gregkh/
[2] http://kroah.com/log/blog/2018/02/05/linux-kernel-release-model/#security