It's good. It gives the maintainers the possibility to update their packages. And if a CVE is unfixed for months it reflects on the maintainance. This usually only happens to closed source packages.