YMMV. I always discourage the use of opkg upgrade because it has a bunch of downsides (already discussed), including potentially soft-bricking the device or unusual behaviors that may be difficult to pin down. It doesn't mean that you will always have issues, though. It can depend on which packages you upgrade and the underlying dependencies for those packages. Blindly upgrading all packages is fraught, but some (possibly even many?) packages are upgradable without issue. But because of the uncertainty, it is usually better to avoid upgrading packages unless there is a specific reason.
It should be stated that there are many users, including some of my fellow "regulars" (i.e. people who have a lot of experience with OpenWrt and even more time invested in helping people on these forums) who have never run into a problem with opkg upgrade. But many of us still feel it is best to warn people so that they can be aware of the risk.
That's good, because it is not possible
Selectively updating certain packages may not be an issue, but you never know. I'd say sure for something like nano -- it's not a system level process and if the upgrade goes bad it is unlikely to affect the system stability/performance. But I'd stay away from LuCI, as an example.
Security is an advantage of OpenWrt. As are the packages. And the recommendation to not use opkg upgrade does not negate either of those things. Keep in mind that just because an update is available doesn't mean you should apply it. It doesn't necessarily mean it is better or more secure. Sometimes a new feature is added that actually regresses performance, security, or introduces bugs. Don't tell me you've never regretted applying an update to your computer/phone or other devices?
In the event of the discovery of a serious vulnerability, there will be indications and instructions in the forums about how to mitigate the issue. It could potentially involve using opkg upgrade for specific package(s), or maybe it will come in the form of a service release that is expedited to patch the problematic components. But it is important to decouple these types of situations from general upgrades to packages which rarely contain critical security updates.