You're assuming a lot. Take a look through a popular buildpack source and you'll see how they work. They do version pinning which means someone has to be aware of a vuln, its patch, and update the buildpack. I'm not saying they don't do that, just that it still requires a person to make the necessary changes. It's not inherently more secure.