We used the helm chart but things didn't get updated often enough to keep our container security stuff happy.

Helm is a huge pain in the butt if you have mitigation obligations because the overall supply chain for a 1-command install can involve several different parties, who all update things at different frequencies :/

So chart A includes subchart B, which consumes an image from party C, who haven't updated to foobar X yet. You either need to wait for 3 different people to update stuff to get mainline fixed, or you roll up your sleeves and start rebuilding things, hosting your own images and forking charts. At first you build 1 image and set a value but the problem grows over time.

If you update independently you end up running version combinations of software that the OG vendor has never tested.

This is not helm's fault of course; it's just the reality of deploying software with a lot of moving parts.