GOS developers have said on multiple occasions that they think LineageOS is worse for security than the stock OS on multiple devices, as it doesn't keep up with current privacy/security patches or provide all of the standard protections. The comparison also does bring up these faults. See also https://www.kuketz-blog.de/lineageos-weder-sicher-noch-daten...
"Device does not force you to update" isn't a bug. The bug is "device forces you not to update" which is the thing you get with stock Android on the large majority of Android devices.
Their objections in general seem to be fairly pedantic, e.g. objecting to a connectivity check which could be improved in a theoretical sense but in practice that shouldn't be leaking anything you're not already giving up by having a phone which is turned on and connected to a cellular network.