Your security team are likely relying specifically on scanner results, which are typically incorrect.
Ubuntu patches CVEs with patches cherrypicked and applied to the version in the Ubuntu repos and to my knowledge there are no CVEs that are not already patched in the packaging. Check the CVE tracker for more details, and have your 'security team' learn not to rely solely on their tools, and to actually check if the CVEs, etc. they're seeing reported are in fact patched. (This is why we use Rapid7 InsightVM to check all our systems' security with credentialed agent access at my employer).
Note that some CVEs are likely patched, while others don't apply, etc. so you and your sec team need to look up the specific CVEs on the tracker and see if the version of Ubuntu in use actually has a patch available. If it does, it'll list what version of the package has the patch. You can then check apt policy openssh-server and see what version of OpenSSH server is installed on the system. If it's older than the package version that's patched, you need to run updates on your systems.
(Disclaimer: I am an IT Security Professional by trade, and this 'misconception' of "you MUST upgrade to the latest OpenSSH or you're not safe!" is a notion that security teams need to stop adhering to, and they need to learn how the infrastructure actually works and gets updated.)
If you are dead set on updating to newer OpenSSH to fix this, then you need to manually compile OpenSSH and install it on those affected systems. This will not be trivial and is not easily documented here.
