Ideally the base should be from a project that handles base system upgrades, so that consumers don't have to trust that the vendor is building security updates in a timely manner.

Last I checked, OpenWRT did not do security updates, and it's up to the user to recompile everything if they want newer versions.