Hi there, I think this information from the GrapheneOS website answers your question.
GrapheneOS can only fully provide security updates to a device provided that the OEM [Google] is releasing them. When an OEM is no longer providing security updates, GrapheneOS aims to provide harm reduction releases for devices which only have a minimum of 3 years support. Extended support updates at minimum will be done until the next Android version...
...Harm reduction releases do not have complete security patches because it's not possible to provide full security updates for the device without OEM support and they are intended to buy users some limited time to migrate to a supported device.