Given the cost of discovering these issues, and the massive risk of exploitation, it’s likely that Google/Amazon/etc have them fixed in their private forks.
Fixing a private fork takes 1/5-1/10 the time of shepherding a PR to meet the maintainers expectations. And why spend 5x dev time to contribute fixes to your competitor?