And you can't have _just_ security updates, because the combinational complexity of security fixes across feature versions is insane, not to mention the fact that the interaction of the security and features changes can themselves introduce bugs. There's groups that try (eg distro maintainers) but it's ultimately a losing battle. I'm convinced that patching is only a bandaid, but it's also impossible to have 100% bug-free code, so there needs to be some sort of systematic solution on top of whatever particular code is running. Behavior analysis, egress network analysis, immutable by default images with strictly defined writeable volumes and strictly defined data that's going to be written there, etc. There's not a silver bullet, but I think patching and trying to keep up with updates is, like, a gallium bullet at best