At least with our Renovate config, all dependencies have a 7 day cooldown, but marked security updates are immediate.

Attackers can’t push a security update without going through the reporting process (e.g. Github CVE), so they can’t necessarily abuse that easily.