> LOTS of people seem to have moved to this kind of docker-based deploy for PaaS. They can't all just be... ignoring security patches?

They can and they are, IME. I've seen images that literally run some version of Alpine Linux from 3 years ago.