Well Manjaro adds 2 extra layers on top of Arch. So Arch reports security issues,fixes some of them and depending on the risk Manjaro is recompiling them as needed / if possible to other branches like testing and stable.
Pulling them only from Arch into our unstable branch only fixes the issues there.
If there is any fix it needs to be verified by someone. So security experts are needed. Canonical employs those in a team. Arch has only a team of volunteers, which may delay things. Arch is also a do ít yourself Distributon. So in the end you’re the Admin of your system.
We have to see how this can be improved.