What happens is that half of your security updates never happen because it depends on individual app providers who have no skin in the game to do so this is unfixable unless apps that are insecure aren't installable.

Before Silverblue, Red Hat and Fedora maintain a list of custom build scripts for all packages that apply patches and security updates.

After Silverblue, when they run in Flatpaks, they can still maintain build scripts that achieve the same thing.

The distribution itself can even maintain a common base image for all flatpaks in the official repos, retaining all of the code sharing of existing systems, but with the benefit of a more robust and modular solution when they need to make exceptions. End users will also be able to more reliably use applications that are not supported by the distribution proper.