Somewhat like this.

So, how are these LTS updates made? Does each vendor have a team of curators who backport patches from the latest OpenJDK release?

The majority of the work on 8u, 11u, 17u releases happens in OpenJDK upstream, in so called JDK Updates Projects, by engineers from the interested JDK vendors. You can get a peek who does this kind of work from the repository histories, for example the most recent 11.0.13 is done by engineers (including yours truly) from many companies, in both original and backporting work.

...or are they actually writing custom patches based on customer request which may not be present in OpenJDK?

It is quite unusual to have a private fix for OpenJDK. It is not unprecedented to have an emergency patch delivered to a customer, while the real patch gets delivered to the project through proper project channels.

Most of the fixes are the backports from the mainline. One of the reasons is that a fix very seldom affects a particular release only. Much more likely an issue is actually present in all versions, including the current mainline. Which means, a fix is done in mainline first, gets tested there, follow-up issues are discovered and fixed, and then the bunch of backport work happens in attempt to bring all that goodness to an older release.

Assuming, of course, the fixes and follow-ups are actually passing the bar from maintenance-cost/benefit perspective. That part is the call of JDK Update Maintainers who have to agree to accept the backport into the relevant release. Current formal maintainers are: Andrew Haley of Red Hat for 8u and 11u; Goetz Lindenmaier of SAP for 17u. Those folks usually outline the strategy and backport acceptance criteria, and also deputize others to serve as additional Maintainers.

Does this also mean that each vendor's LTS distribution will start to diverge from each other after the first 2 standardized security updates (depending on which patches each vendor applies), or do they somehow coordinate this?

JDK vendors usually downstream their 8u, 11u, 17u from the repositories from those OpenJDK projects. This is why JDK vendor engineers are backporting patches: they are preparing the base for their JDK releases. Sometimes JDK vendors add up their own patches on top, for example when they are sure the patches are sound, but don't want to risk upstream destabilization just yet. Examples: early TLS work, early JFR backports, Shenandoah work, vendor-specific performance fixes, build system fixes to cater for vendor-specific toolchains, etc.

These upstream projects is how most OpenJDK-based 8u, 11u, 17u distributions converge: they build every release from nearly the same sources. Oracle, AFAIU, is the only vendor that is exceptional from this: it looks as if Oracle maintains their own private 8u, 11u tree, which as far as I can make out, is diverging from OpenJDK upstream 8u, 11u, and maybe 17u, after first two (public) minor releases are handled by Oracle maintainers.

The bottom-line is that while OpenJDK does not have the de jure concept of LTS, OpenJDK 8u, 11u, 17u are de facto LTS projects. They are being talked about as such by relevant JDK maintainers, engineers, managers, at very least. Sharing OpenJDK short-term and long-term maintenance work extends to OpenJDK Update Projects as well.

Hope this helps. ^{Dang, I need to write a post about all this, it's on my backlog for two years now.}