That's not entirely correct. There are also updates to the baseband, bootloader, binary driver blobs, etc. E.g., the bootloader for the FP3 was set to trust roms signed with the AOSP test keys (https://forum.fairphone.com/t/bootloader-avb-keys-used-in-ro...). That's not something fixable by the OS / rom maker.

The security issues stemming from such things are likely real, as well. There was a paper released some time back, about binary blobs, that found:

> Our results reveal that device manufacturers often neglect vendor blob updates. About 82% of firmware releases contain outdated GPU blobs (up to 1,281 days). A significant number of blobs also rely on obsolete LLVM core libraries released more than 15 years ago. To analyze their security implications, we develop a performant fuzzer that requires no physical access to mobile devices. We discover 289 security and behavioral bugs within the blobs. We also present a case study demonstrating how these vulnerabilities can be exploited via WebGL.

(From https://arxiv.org/html/2410.11075)