FWIW, there are mechanisms to live-patch the kernel, there were some out of tree approaches (ksplice, kGraft, kpatch) but nowadays, the kernel has native support that those (kGraft and kpatch IIRC) now can use:
Most enterprise distros provide a service for that, as the actual work is to create the binary patch fixing the security issues at hand, as one can not always just use the upstream version, e.g., if that introduces internal ABI changes or changes locking (order) - as then you'd need to patch X sites atomically at once to ensure nothing falls apart, can be done but hard to get right.
So yes, if you're willing to put in the money or work you can have systems that run for years and still are just as secure as those that frequently reboot into new updated kernels.
