Vulnerability management in the mobile space is interesting.
You could spend hours every week, going through the latest CVEs for your device and apps.
Basically, if your phone hasn't received a security update in 6 months, then check the CVE databases to see if there are any new vulnerabilities that was patched by a later release of Android than what you have. There are bound to be a few. Most are not exploited, although the risk remains.
For apps, a bigger issue is the Android API levels. If your phone has stopped receiving updates for a while, the more secure APIs (we're at 33 now), cannot be used by up-to-date apps. Using newer APIs takes advantage of the latest security and privacy features.
Even if your phone is up to date, running old apps that haven't been updated in years, could also reflect a similar vulnerability.