Distros are backporting security patches into their releases, so no harm done. If you rely on the python.org releases and don't build from source, then yes, that is a bit sad.

Case in point: The Debian security tracker, see their notes section referencing each commit.

https://security-tracker.debian.org/tracker/CVE-2021-3177

The python:3.8 and python:3.9 container images if used to build web services such as Django with GIS extensions may have an RCE until Python.org sources are updated.

Why can't the base image receive those patches as well?

Those images pull from python.org sources, see:

https://github.com/docker-library/python/blob/master/3.8/bus...

The release candidates are already available to use if you don't want to wait 2 weeks.