The developer just seems to love selling uneducated people updates as feature. The commit shows only half of the truth.
While updates are undeniable important he does not explain or shows if a newer kernel is not already compromised, this happened often with newer OpenSSL versions, to just name one basic example in which it could be security wise a problem to update.
In truth GrapheneOS simply sells updates as security feature without mentioning if newer versions are really more secure, there is simply no proof for such bogus claim. It is more than questionable if newer versions are tested or if he just sells - newer is better - in general to lure people in using his AOSP mod. No one probably can disprove him as he constantly updates and updates without ever doing some serious audit on the OS himself and due to the fact that it constantly gets changed it makes it nearly impossible to audit, confirm or debunk his promises.
This is exactly a scam we had with AntiVirus products in which a test showed weaknesses and then shortly after it, this played absolute no role anymore because there was another signature update, then years later some serious security researcher really did tests and abused AV products.
The example clearly shows that the developer fools others that are not in the security scene with unproven claims, just because there is an update not necessarily equals more security, until proven and tested otherwise. This is not mentioned with any word. Also it should be said that not every exploit and weaknesses is easily to be abused. People who typically use hardened OS or are connected into the security scene are not a target and those who installed it in the hope to gain something compared to AOSP usually also read basic security news as they already found out about AOSP such as GrapheneOS.
My response an impression
As already mentioned, we already have lots of claims, once again all unproven and the developer wants to make a living out of his project which he tries to sell at all costs as secure. In fact the only thing what is secure is other peoples work which he simply adopts into his Mod. I like to show my disrespect at this point for not showing the entire picture and frame everything under the - secure - claim which is more and more a cash grab these days.
The developer basically spits on the AOSP community and other developers as well as Google, claiming oh there is a new LTS Kernel version, why not roll it out immediately without even going into specifics if exploits are easy to abuse to build an attack that actually works, in lots of cases you need other things to consider to make an attack actually work. People need to execute unknown attachments and the typical yada yada which is not really realistic as such people that use Mods never fall for it and they are knowledgeable to build an efficient strategy without relying on only the Kernels security model. It is called multiple layer strategy, which again the developer not mentioned once on the entire commit nor his website.