I generally agree, pinning versions and then having some script to automatically update to capture security updates makes sense, except that it also assumes that every package is just using standard symver, which in my experience is something like 99% true.

But it's also missing the value of hashes, even if every package used symver, then you had a script that could easily update to get recent security updates, we would still gain value from a lockfile hashes to protect against source code changing underneath the same version code.