Stable builds do receive security fixes as warranted. Not every security fix mentioned in the beta release notes requires backporting, however. Some may be trivial/minor, and not worth the effort/risk to backport. Others may medium/critical, but are due to change from an earlier beta such that the security vulnerability doesn’t exist on stable.
In the current example from 2.7.0.beta5, the vulnerability could only be exploited under specific circumstances, on sites that had deviated from default secure site settings. As such, it was decided not to be backported, due the the risk of introducing unexpected bugs/change, which we try to avoid on the stable branch.