Do you want to answer my question or keep vague generalisations?
Else you don't need to read further. I am out of this discussion.
'There is a vulnerability' causes a CVE. But not every CVE is matching for my use case.
We are talking about embedded devices. If you are upgrading a service you need to make sure all dependencies are matched. As the Web interface is your "Monitor" all the users who never heard of CVE will be disappointed to see a 404, 500 or service unavailable. But you are happy, because no service, no vulnerability...
If you don't want network equipment with open CVE, I doubt you will ever find a vendor.
But: If you could provide a CVE with a real world example hor it will affect the security, I am sure the GL.iNet Team will take this very serious and finds a solution.
Even for older versions, often Backport fixes exist. Nice generalisation, isn't it?
Edit: But I am just a user. Maybe the GL.iNet stuff agrees to you and analyses every CVE. See for example: GLDDNS Google Indexing - #20 by alzhao