Unless you are doing it wrong.
And sadly I`m seeing more and more people doing it wrong.
To a lot of people Open Source means that they have a piece of software that does almost what they want and which they can modify to their best wishes and use internally.
So they fork locally,, they don't redistribute their code , but they aren't contributing their changes back upstream, chances are these changes wouldn't be accepted upstream anyhow as they are really customizing the code for their specific cases. At first sight this doesn't look so bad , at second sight ..
When weeks or months later the upstream project releases an urgent security fix, the local fork has deviated soo much that it can't upgrade anymore and stays with an insecure version.
Often it's worse.. a feature that could have been accepted upstream has been implemented