Finding unpatched "features" in distro packages

I generally expect baseline distro packages to be “old” by some measure. Even for more forward thinking distros, they generally (mis)equate age with stability. I’ve heard the expression “bug for bug compatible” when dealing with newer code on older systems.
Something about the devil you know vs the devil you don’t.
Ok. In this case, Cmake. A good development tool, gaining popularity over autotools and other things.
Base SIOS image is on Debian 8.x (x=6 at last viewing). Cmake version is 3.0.2 + some patches.
Remember, agestability uber alles.
So I encountered a bug in Cmake, with the FindOpenSSL function. This was in building Julia. Doing some quick sleuthing, I found this patch (for a later version) of Cmake. Looking at the source, it would apply correctly without edits, so I gave it a try (dev machine with our ephermal SIOS boot, no issue if I nuke it by accident … a reboot fixes everything).
Restarted the make and it ran correctly to completion.
So I started looking at Cmake. The distro has 3.0.2 + patches. The patch was for 3.1.2. Out of curiousity … how old is this rev, and are we badly out of date? Looking at the git repo

The 3.1.2 version which fixes this was released 20 months ago. 3.0.2 + patches is more than 2 years old. 3.6.2 is latest stable.
Ugh. Will live with patch for now, but might need to update Cmake on our units to avoid this in the future.