Or no one is to blame, if the mechanism of the regression is complex and non-obvious based just on the patch itself.

Or they are to blame because they misplaced responsibility in a tool's universality to not introduce regressions, even complex and non-obvious ones.

or they are not to blame because they accepted the possibility of a regression when fixing 6 CVEs

Or they are to blame because fixing 1000 CVE's doesn't magically absolve one of responsibility for regression bugs, even if one "accepts" them as a psychological salve.

If you are entitled enough then they are to blame they didn't fix everything at once, but in that case you really should be paying for their product and support. Otherwise fixing security issues has high enough priority to accept there might be downstream bugs that will be fixed in due course.