As you asked me for a specific case, may I bring up CVE-2016-5696.
A fix to the medium-risk vulnerability was uploaded on July 10, 2016 by
Eric Dumazet (cf.
https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455b6822ab09e533c551f758)
Ben Hutchings uploaded his work on the fix on August 12, 2016 (cf.
https://anonscm.debian.org/cgit/kernel/linux.git/log/?h=jessie-security)
Debian officially pushed out the fix on September 4, 2016 via DSA-3659-1.
Are there reasons for the 23-day delay in providing end-users the patch?