"The thing to do is to monitor your dependencies and their published vulnerabilities, and for critical vulnerabilities to assess whether your product is affect by it."

Yes

"Only then do you need to update that specific dependency right away."

Big no. If you do that it is guaranteed one day you miss a vulnerability that hurts you.

To frame it differently: What you propose sounds good in theory but in practice the effort to evaluate vulnerabilities against your product will be higher than the effort to update plus taking appropriate measures against supply chain attacks.