How can we ensure security fixes get MFH'd to quarterly?

[Mel Pilgrim]

On Nov 27, r486043 was committed to head to fix several vulnerabilities 
in the Samba 4.7 and 4.8 ports, but it wasn't merged to 2018Q4.  A PR 
was opened, but 2018Q4 sat unfixed until it expired at the end of the year.

Filing a PR didn't help.  Mentioning the PR on this list didn't help. 
What can be done to prevent further repetitions of this lapse in the future?