Interesting … you had no replies to this thread Vendor security patches on a CMF Phone 1.
Failed is a strong word … /e/OS is running?
I always thought this unfortunate … I think that you are getting this warning from an area of Settings not actually generated by /e/OS – perhaps you can show a screenshot and perhaps someone can explain the mechanism.
If I am guessing wrong please give an accurate explanation of what is happening. 
The actual Vendor security patch level should appear in
Settings > About phone > Android version.
If you state your figure, others with the device should be able to confirm if they have the same.