What you may be missing is that they develop on github and that activity is public. The bad guys can already see security updates going in, pre-release. You seem to believe that if they don't release a security update on 4 July, that the bad guys won't know that there is an exploitation opportunity. They can already see the development work.
Now, if they had a larger team they could have a separate private git version for the really sensitive stuff, and a process for quickly pushing it into the public version for release. But until recently the core team was two people; now it's three. Perhaps this makes it a toy in your mind, but since the only alternatives are billionaire-owned surveillance/advertising systems I guess this is the best we are going to get.