theoretical non-event
Theoretically this might be weakness but there's 2 things stop it being a major problem.
1) the long lamented fact that manufacturers tend not to bother pushing out more than 1 os update if any to old devivces.
2) on the rare occasions that Updates to android have been available for my phone, all apps have had to be reinstalled anyway.
So in effect the only real risk is the standard one that the average user just accepts the permissions requested witout reading/understanding the implications.