Re: So...perhaps Mint SHOULD have automatic updates turned on.
sure, change the default.
Then the more advanced users who care can easily turn it off if they need to.
(Linux user since 1996, no auto updates, ever)
I ran Mint 17 until not long after Mint 20 came out, the timestamp on my last downloaded ISO of Mint 20 was Aug 15 which sounds about right. I maintain my browsers separately from the OS (Palemoon, Firefox ESR and Seamonkey, none of which appear to be in the Mint repos). I also run them as a somewhat more limited user and launch them via sudo e.g.
sudo -u firefox -H VDPAU_NVIDIA_NO_OVERLAY=1 /usr/local/palemoon/palemoon %u
Could go further of course but haven't bothered to do so. Does make sorting file permissions out funky sometimes.
Just wasn't looking forward to doing the work to do the migration until Mint 20 came out. I rely on a gnome app called brightside which I guess hasn't been maintained in years and it took several hours of work to compile it on Mint 20 from Ubuntu 16 sources(was available in the Mint 17 repos). Plus more hours to get everything setup again(started from scratch on a new partition rather than try to upgrade the existing OS, still have Mint 17 installed and can boot to it if needed). I ran Ubuntu 10.04 on my laptop for a good 12-18 months after EOL before installing Mint 17 years ago.
For me personally the security risk is quite low. I suspect for most linux users the risk is quite low(though mine personally I think is much lower than even that), just by nature of the type of users most likely to be running linux, combine that with stats like this:
I guess at the end of the day the "install all updates now!" group of people generally come across as you will be secure if you have all of the latest updates. (may not be the intention but that's the way it sounds in my opinion) Which of course isn't true. In my opinion even running older software you are safer if your not going to tons of random sites and downloading random things and opening random email attachments with all security updates applied. So of course it depends on the user. Hence going back to linux users are more likely to not do that kind of thing.
I have run internet exposed servers since 1996. I host my own websites, DNS, email etc all on public IPs(behind an openbsd firewall) at a co-location facility(and I even have an FTP server still for a couple people that use my systems). My "exposure" there I guess you could say is "high" because the systems are always open from the outside(at least the ports I want opened are). However I have had zero security incidents(that I am aware of) since ~1999 (in that case the incident was caused by an malicious user on the system who was granted legitimate ssh level access but ended up being not trustworthy).