> Yes, if it was a measure of device security they would revoke attestation of devices that are behind on security updates.

The new attestation system Google introduced recently (which I think also more strongly forces hardware-based attestation for phones that support it and is therefore more difficult to bypass) actually does that – the very highest attestation level requires running a security update not older than one year if I remember correctly.

What remains to be seen how much that'll get used in practice – users with rooted phones or custom ROMs are rare enough that a lot of vendors seemingly have no qualms excluding them, whereas users with outdated phones are probably a somewhat more sizeable number.