“assessing”: SPL dates aren’t inherently wrong though intransparent. There was a CVE checker that did analysis on-device (SnoopSnitch), but I don’t think its kept updated.
“the device should be patched”: someone at /e/ has to bundle the firmware, do kernel vendor fixes, it’s not automatic