Security of NGFW OS and kernel

I know there are lots of different providers, but let us focus on the bigger ones and the ones running some kind of Linux. In the end they are all some kind of huge packet parsing engine and I guess many options will be enabled in the kernel. But I’m not sure about that nor can you find much info on how they do networking under the hood. Are they doing something specifically different than a normal Linux system in terms of kernel/program security and networking? Or are they more or less the average Linux router with iptables + a nice gui and analytics ?

When I look through some patches/changelogs I regularly see CVE’s with high risk so I am wondering if they can make the network security actually worse.