While this concentrates on technicalities of correctly implementing reprovisionable, anti-hysteresis systems, it completely ignores a huge advantage of the current package-manager approach: you can safely delegate security bug management to "upstream" (in relation to you, a user) package managers, while ensuring no interrupts to your workload.
It's more about policies and realities than technology.
Set-based upgrade mechanisms (i.e. images which are sets of packages) have a bunch of packages moving together, and usually apps package their own dependencies even if they are present in those base sets.
App authors move to them so they can avoid rebuilding for different OS versions and different OS distributions.
Basically, you can achieve the same, but as apps will frequently rebundle different versions to avoid repackaging, you lose security updates you'd get from more granular individual package updates.
How do we get the best of both worlds?