CodexAG Isn't the whole point of grapheneos to patch the security vulnerabilities? If GOS does, then even if Fairphone is a little behind in their updates, GOS software can itself be updated to fix any security vulnerabilities.
Vulnerabilities come in different kinds. Two of the big kinds are vulnerabilities in (1) the binary-only firmware blobs that boot AOSP and run important hardware such as the cellular modem, the Wi-Fi/Bluetooth chip, the GPU, etc., versus (2) vulnerabilities in the open-source part of AOSP.
On pretty much all phones, each firmware blobs is a cooperative effort between a phone vendor and a chip vendor. When there is a vulnerability in the firmware blobs, only those parties can patch the vulnerability and issue a new blob. Sometimes part of the code built into a firmware blob was provided by Google to a phone vendor. But that doesn't mean that when Google provides a patch that the phone vendor will quickly issue a new blob.
Sometimes the GrapheneOS project uncovers bugs in closed-source firmware components. Historically Google has been fast at fixing those bugs when they are found, whether by Google or by outsiders such as the GrapheneOS project. This is less true for other device vendors.
CodexAG Are you telling us that graphene basically is at the mercy of google fixing these vulnerabilities? [removed content breaking forum rules]
Obviously it is up to each one of us to form a personal judgment as to whether to rely on the GrapheneOS project's trust in Google's firmware blobs. But at present it's not clear what meaningful alternatives there are. Vendors such as Fairphone have exhibited dramatic flaws in the firmware they have shipped (example), and their firmware isn't open-source either (FP forum post).
Overall it would be great if there were phones with strong hardware security and open-source firmware, but that day has not yet arrived.