the repos are either close to upstream, or they backport security fixes. Everything else is not secure
make working, secure, sometimes branded bundles including Desktop, some apps, some specific software
the bundles get updated and if it is a point release, upgraded to a new set of packages. That is called a "Distro version"
This ensures new features and security fixes
the Distros care about bug reports, work with upstream, getting new contributors, packaging (bundling the packages, presets, libraries into a set with a name, handling dependencies etc.)
Distros also often package and build their own Kernel or multiple ones. These kernels are general purpose most often, even though there is the kernel-hardened or Oracles “unbreakable kernel” (whatever that is). Also there is a lts Kernel that has backported security fixes, as well as other releases of the kernel like git (latest of everything)
Distros take care of the versioning, so not every package is always the latest but tested to work with other packages.
Distros also implement security systems like SELinux and Apparmor with matching configurations
So you see that is highly complex. So stay as close to upstream as possible to get the best experience. I think of the main distros as
Debian + Ubuntu
Fedora + the RHEL stuff or clones (Oracle, Alma, Rocky etc)
Opensuse, SEL
Arch
Gentoo
Alpine (busybox and musl, not real Gnu+Linux)
NixOS
GUIX
ClearLinux
Coreboot (yes that is a Linux distro)
Slackware and other probably outdated projects
small ones with different focus
All the others are either downstream modifications of these, or less known. Some Line ublue, EndeavorOS etc. also just take an upstream distro and change very little.