OpenWRT security advisory missing Linux kernel CVEs

If you visit the OpenWRT Security page you will need the most recent CVE was from 2022.

https://openwrt.org/advisory/start

That makes sense as it is a simple system but what concerns me is that under the Debian Linux kernel CVE page there are plenty of listings. https://security-tracker.debian.org/tracker/source-package/linux That makes sense as the Linux kernel is constantly being probed. However, wouldn't OpenWRT also have those same vulnerabilities?

The release notes for each version of OpenWrt include the fixed CVEs. For example, 23.05.3 has 3 such patches.

While it is true that it could be useful to keep a full log of CVEs, it would also require a bit of work to maintain with the affected versions (which may or may not actually include really old versions).

In that case would it be possible to put a disclaimer on the vulnerability page?

What kind of disclaimer do you think should be there?

Maybe something like this:

Although we try our best to keep this page and OpenWRT itself updated, it is ultimately up to you to manage your own device and to be aware of security risks. It is best practice to update to the latest stable version of OpenWRT when it comes out. Additionally, great care should be given to anything on the public internet or used by the public.

Linux kernel changelogs do not contain Linux kernel CVE-s and do not have disclaimers that those are missing. What do you do about it?