So Ubuntu has this model where they pretty much freeze package versions for an Ubuntu release after release, and then they only backport security updates from upstream. There's nothing new here, most distros do it this way. The idea is that this way they can polish the gazillions of package versions
I think that’s a misinterpretation, considering a VM is going to be the first place an org tests such a program