OpenWRT updates are very much discouraged on an ongoing basis primarily because most devices running it use very cheap flash chips which are small and fail quickly after too many writes. They’re nowhere near the level of SSDs, or even SD cards, that can handle many flash cycles.

Almost as important is the fact that updates do not overwrite the original packages, because those are in a read-only partition. Updates are written to an overlay file system, so every updated package uses twice as much flash space. Installing updates weekly would quickly fill the flash.

But as far as vulnerabilities go, what’s the actual exposure? From the outside there’s no ports open, and on the inside only a few for device management, and basic services like dhcp, etc. Those have been around for decades and are pretty well hardened by now.