Most security issues are handled by security updates, which don't require a letter update. They're issued as patches, so OEMs can issue them for an older device without updating it to a new release.
https://www.android.com/security-center/monthly-security-upd...
Most of the major OEMs do. The security update rate for upper tier phones runs about 75% within 3 months these days.
Anyway, I was responding to the comment "Most of serious security issues still require full OS updates." This is demonstrably inaccurate since the security patches do not require a full OS update.
