Their previous security updates feature was mostly unused.

I suppose it’s not really working, or is the product of a team and no other internal team actually use it.

I imagine scheduling lined up for the 26.3 release and it wasn't considered dangerous enough. They did this with 26.2 as well including a fix for a zero day. I wonder if they are leveraging that to get people to update sooner. Imagine some people might be turned off of updating with the bugs and visual changes in 26. It's not like 26.2 or 26.3 have any major changes that are enticing.