I've noticed this also a few years ago. 

There are some advantages to upgrading node software slowly; an unknown vulnerability may be introduced in new versions and not be in older versions. Thus not all nodes are vulnerable. That was the case for CVE-2018-17145. It took years for full disclosure and it eventually became necessary.

There is also ocassionally a need to have quick security updates. It shouldn't be entirely automated without several points of review. It can be tricky though, because it can be difficult to disclose details of a vulnerability that is necessary for review, while there are still many vulnerable nodes.

Encrypted DMs to operators could be a best effort before a full disclosure.