Salesforce Security Updates are published to fix a security issue, prevent attacks, and strengthen the security posture of a Salesforce tenant. They use a hybrid system that is similar in some ways to traditional software that requires the customer to apply updates until EOL and a modern SaaS platform. Salesforce gives admins a “grace period” where they can choose to update the platform, but Salesforce pushes the update through automatically. Security professionals call the period from vulnerability until the organization enforcing a security update the security update is the golden window for attacks.
Source: https://thehackernews.com/2021/08/salesforce-release-updates-cautionary.html