there is a difference between an operating system and a firmware
Are you so sure about that? What are the differences? Let's look at a BMC... it runs a "firmware." That firmware is a small embedded operating system with network access, ability to send commands directly to hardware, ability to intercept the boot process, etc. Are you claiming the BMC firmware shouldn't ever need to be updated because it's "not an operating system"? Or, let's take an EFI/UEFI system... again, firmware... but wait.. it runs an embedded OS, in some cases Linux. It can run code, interact with hardware, write to hardware, has network access... what, in your world, makes that less important to get updates than the operating system? Or, what about Intel's ME, which is update via firmware updates? That's another small embedded OS, with network access, ability to interface with hardware, run executable code, etc... should that not be updated when it has a security issue, because it's "firmware, and you literally should never need to update that." Or what about the NIC? It sits on the network, and receives network traffic, and talks to the rest of the system (likely even through RDMA, where it's talking directly into system memory). It has also had vulnerabilities in the past, everything from DOS type issues, to full remote code execution exploits. But wait... that's just firmware, why the hell would you ever consider updating that, just to fix a pesky security vulnerability? Or what about CPUs, surely those shouldn't ever need a firmware update.... unless they were made by AMD or Intel in the last 10 years, and are susceptible to any number of side-channel attacks.
I could go on, but the horse is already a pink mist.