You are only bound to the vulnerable version if you let your dependency decide which version to take. If you add the nuget package yourself (so a fixed version of System.Net.Security, lets assume that’s 4.3.x) to your project will work with the new(er) package.
CLICK HERE to find out more related problems solutions.