Hm, I knew less about packaging than I thought. I kind of assumed it was mostly automatic updates after the initial package, and only fixing things on major changes.
Anyway, looking at the different tables, it doesn't seem to me that Guix is especially behind well known distros, and there's a low percentage of problematic issues: https://repology.org/repositories/statistics/pvulnerable
Perhaps it would be more telling to see how long packages are outdated on average? dunno..