I think replaceDependencies is the practical solution here. This has been discussed many times on discourse; see e.g. replaceRuntimeDependency, Guix grafts, and other approaches to the fast-upgrade problem.
It would be good if a list of hotfixes for key dependencies can somehow be maintained in tree (within Nixpkgs itself) so that it simply becomes transparent to users. However, I don’t know whether this is actually possible.