I think there is another step between 2 and 3 though. Namely the time it takes for the team to find out about new vulnerabilities and their fixes.
This is actually something I'm working on with IsMyDependencySafe.
It's currently under development, so there are still some issues. And I'd like to build a notification feature, to bring that time down to almost 0.
I totally agree with you that automatic updates should be used whenever possible. But what do you say to people who argue that updates might break something?
A stupid, but kind of possible, example would be an application that relies on a bug of the underlying software, and stops working when that bug is fixed.
We’re a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.