Also the arguments against Flatpak imply RPMs & DEBs are magically sandboxed and people always stick to distro packages.
In reality, traditional software packaging does not sandbox *at all* and people often add third party repos (PPAs, Copr, OBS, Google Chrome, RPMfusion, AUR, etc.) and sometimes even install random kernel modules (VirtualBox, NVidia proprietary blob).
Flatpak is *already* several steps forward, even if there are more to go.
The big positive point about RPM, DEB, … is that you update a library once and you know it's fixed for all. Flatpaks decide which version of their "parent" application they use (like OCI containers with their parent images) and this way may stay on outdated/insecure dependencies when they are not rebuild.
And even worse for included dependencies…
Thankfully, the runtimes get updated with the fixes & apps inherit that.
Yes, the big distros are handling it a bit quicker. This isn't a problem with Flatpak itself though. Hopefully this will improve, especially after this bit of bad press.
Smaller distros have security update problems too.
Traditional packages from 3rd parties (Skype, Chrome, add-on repos) also bundle a lot & have similar update issues.
Generalistic and moderated instance. All opinions are welcome, but hate speeches are prohibited. Users who don't respect rules will be silenced or suspended, depending on the violation severity.