This is so risky.
A good hacker often goes after what's easy. If they can figure out you don't have updates, and there's a clear exploit that has been patched, and you don't have it patched, it's easy for them to break in because they just follow the published info about the exploit.
That's why hackers and governments pay so much for zero day exploits (not yet published) because it allows exploiting a fully patched device. If you have any sort of threat model, your device is easily hackable by someone good. Even with a fully patched OS, a nation-state may still be able to hack you with a zero day exploit.
So it depends on your threat model. If your threat isn't being remotely hacked, but having your phone seized, and your usually is BFU, it's possibly less of a bad idea, but really it's partly defeating the purpose of GOS. You'll still get per App firewalls?
Let's say a server is unpatched and doesn't have "December patch" which protects against a newly discovered type of buffer overflow attack. There is a publication out about "December patch" and it actually shows the commands to gain control of the server. A shitty hacker can follow that publication if they know the server isn't patched. It's a blueprint. A phone OS isn't that different. It's possible some systems in GOS could protect you, but I don't think developers for GOS waste time on "Can unpatched GOS be hacked with published hacks that we've patched?"
Just save your data and start over, then update regularly.