I have a question for you. I honestly don't know the answer. Why are people so hyped over Sailfish OS even if it has security issues like you said?
Open source security fallacy. People have heard that open source can be more secure, but don't understand under which conditions this is true, so it just becomes a "it's more secure because most of it is open source". This is helped by early Jolla advertising highlighting privacy - which was true as long as you didn't add any additional services - and people mixing up privacy and security.
The underlying framework (mer) is fully open so can be audited (and I'm sure russians chosing it as their OS for government devices did that and for the UI too, as they have access to all the code) and relying on android drivers+libhybris makes it more secure than normal android device as most android exploits will not work out of the box and would have to target sfos device specifically. But the hype for me is mostly the UI with full linux under the hood, so you end up with a device that is pleasant to use and can hack on it properly without some android-type-bandaids (you can chroot into other distros too if you like I guess)
Only last year they started (finally) upgrading core components, until then pretty much everything was ridiculously outdated, with a lot of unpatched security issues. Even though they slowly seem to be catching up now, there still is a lot of outdated middleware on there, some of which may not be updated because of them still trying to avoid GPLv3 software on the device. The browser engine probably also is still pretty old, and a good entrance onto a device.
SailfishOS security is pretty much "it's too obscure to bother", if somebody were to look they'd find quite a few problematic spots.