Instead of bundling all available security patches into the next ASB, Google now prioritizes shipping only “high-risk” vulnerabilities in its monthly releases. The majority of security fixes, meanwhile, will be shipped in quarterly ASBs. Google defines “high-risk” vulnerabilities as issues that are crucial to address immediately, such as those under active exploitation or that are part of a known exploit chain. This designation is based on real-world threat level and is distinct from a vulnerability’s formal “critical” or “high” severity rating.

Reckless behavior! You cannot adequately rate a vulnerability’s real risk, and we have a very limited view of what’s being exploited in the wild. Threat actors don’t exactly publish their successes, and even the smallest bugs can be used to build powerful primitives in ways that can be really surprising (e.g. a single off-by-one null byte overflow that seems minor can lead actual code execution with sufficient control of the heap). Picking and choosing is a direct security compromise that makes Android less secure no matter which way you slice it.

This reads to me as sugar-coating a cost-cutting measure. “Prioritize fixing and patching the highest-risk ones first” my ass. When you know of a bug that could have security relevance, you fix that bug. This just says you can’t afford the developers to actually fix your broken code.