Assuming your containers are secure to begin with (which can be tricky to set up), when a new container escape kernel bug is inevitably released you're in a race to patch it before someone exploits your system.

Exactly. Since containers share the same kernel with the host, if there is a kernel bug that can be exploited from within a container, it makes the whole host vulnerable.