Everything that’s in main gets released to everyone with the security fixes. Canonical’s security team works on those.

The stuff in the universe repo is owned by the Ubuntu community (not by Canonical), so anyone can submit those fixes, but it depends on the Masters of the Universe, who are all volunteers, to get it upstreamed.

The extra Ubuntu Pro updates for the universe repo come from when someone who’s paying for Ubuntu Pro asks Canonical to make a patch. The source is still available to anyone, so someone could take that patch and then submit it to the community who maintains the universe repo.

Once the 5 years of standard support ends, then the only way to get additional fixes is through Ubuntu Pro, but if Canonical writes those fixes they also submit them back upstream (as opposed to if they grab a specific patch from upstream — and even then it’s still available on Launchpad regardless.

The reason nobody’s made a CentOS but for Ubuntu Pro is that it’s way easier to submit the patches through the community (and become part of that community who approves packages) than it is to spin up all the infrastructure that would be needed.