EDIT: @tmomas post below gives a far better answer.
My personal take is that for critical bugs, the core developers typically roll a new point release pretty quickly, and then reflashing that new version ASAP is highly recommended.
For non-core self-installed packages, unfortunately we are more or less on our own, that is you would need to monitor the packages repository yourself and decide whether you consider changes to be essential. Opkg, OpenWrt's package manager is not as fully teatured as the other big managers as it needs to work with comparatively little memory. So it really is missing some features on purpose you would need for using it as a full featured tool to update an OpenWrt installation. It is fine for installing additional packages and mostly fine for updating packages with restricted security updates, say, if a package got a fix that does not involve and dependent upon updates other packages.
Wow! This is fantastic! As it is, OpenWrt already provides very frequent point releases (every few months) that fix security issues known to date. These intermediate package fixes are released so quickly its practically "real time". Most OEMs provide a firmware update to fix security issues every few years, and then only if they are bothering to still support their hardware at all.
Huh? Why haven't I seen this before? I skim the forum, commits to master, etc. every few days. I looked around the home page for OpenWrt and couldn't find it. Clicked on the security link under "Why Use OpenWrt" - same.
No doubt there is a way to get there from here and I'm just oblivious, but this is something to be really proud of.
FWIW, I think this should be a link on the OpenWrt home page, front and center within the "Security:" description under "Why Use OpenWrt?", or at the very least somewhere in the detailed "Security" reasons to use, one more click away from the home page.