> cross-reference all of Apple's CVE notes

I never suggested that. But Apple itself prioritizes patches by severity when deciding what to backport.

Some issues are so severe that Apple occasionally releases a new security update for previous OS versions that no longer receive security updates otherwise.

A lot of issues are merely privilege escalation, which is not necessarily a big problem on a personal computer.