Part of the (social) contract stable or enterprise distributions have with their users is stability. Not as in not crashing, but as in things not changing. What you set up today, will still run and be secure in ten years, if that's the support period.
This means that they can't change Apache versions. That would break things for customers, and customers that pay for stability tend to be annoyed when they don't get it.
What Red Hat and others do is to backport fixes. When a vulnerability is discovered, they will figure out how to apply the fix to older versions. Apache project will generally only patch the latest version, but Ubuntu, Debian, Red Hat and others will backport it to the version they use.
Thus you can't look at the version number to determine what vulnerabilities are present. A good source for Red Hat is RHSA, which will tell you when a particular vulnerability is closed.