As someone using custom ROMs since CyanogenMod I think GrapheneOS misses the point and is drawing scenarios that do not concern the “average user”. And they have to promote their system because due to Google’s strategy to cover Android and the Pixel phones behind a less frequent source update this is in a kind understandable.
Fixating on the timeliness of patches isn’t the point for me. To get a phone that does not track me on every step I take is. And where I can decide what Apps “leak” or do telemetry.
GrapheneOS is for the Nerd who does not care to use an American(!) phone in these times - which gets more and more undocumented and where the crucial hardware abstraction layer (which is fully documented by Fairphones hardware btw) is more and more difficult to reengineer.
So factually there may be some substance, but to make a phone more “safe” and less transparent GrapheneOS isn’t a) the ROM to use and b) the hardware to do it on.
Apps are the holes in the system, not the phone in the first place.