I've heard of that approach (breaches being limited to a container), but I don't think it makes sense.
If a security flaw exists in one container due to the stack not being updated, isn't there a pretty good chance that it also exists in the other containers?
Also, for any given container, there probably still is a way for an attacker to do immense amounts of damage. With the database container you can steal customer data. With the PHP container you can remotely instruct the database to do whatever you want, or just point the code at your own database.
If a security flaw exists in one container due to the stack not being updated, isn't there a pretty good chance that it also exists in the other containers?
Also, for any given container, there probably still is a way for an attacker to do immense amounts of damage. With the database container you can steal customer data. With the PHP container you can remotely instruct the database to do whatever you want, or just point the code at your own database.