That is false. It's likely the end-user can update it, but the LGPL does not prevent it from being impossible.
The LGPL makes it perfectly legal for the closed-source antivirus component to not load any 7zip .so binary that is not signed by the antivirus vendor, of a known hash, or so on... and the code loading said shared-object need not be available or modifiable, just the code for the vulnerable .so they do ship.
The LGPL clearly states that a Combined Work which includes the the Library must "1) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (a) uses at run time a copy of the Library already present on the user's computer system, and (b) will operate properly with a modified version of the Library that is interface-compatible with the Linked Version." as well as insisting that the terms of the license under which you distribute the Application "effectively do not restrict modification of the portions of the Library contained in the Combined Work and reverse engineering for debugging such modifications" <- taken together, maybe (maybe!) you could make an argument that your shared library loader was legit while the code using that shared library loader was evil (though that clearly violates the intention of this license in a way that is so blatant I would be shocked if a judge or a jury didn't shake their heads at your claim), but then the rest of the anti-virus software wouldn't be able to be distributed under a typical commercial license as modifications and reverse engineering of that code would have to be allowed.
I always wondered whether code signed deployment is not compliant with LGPL and where the threshold lies.
Specifically, if forcing to sign a package with a different key (making it a different package) for private purposes is enough, or if the redistribution rights of the whole is required.
Finally, if you cannot replace the software because of code signing and no public debug mode, that seems incompatible too...
LGPL or not, if I remember correctly, F-Secure does not enforce a valid signature of the 7-Zip library, so you can replace it yourself. Don't quote me on this though.
However, F-Secure applies several patches to harden 7-Zip and to fix bugs that are not yet fixed in the public 7-Zip version. So it is not clear whether it is always such a good idea to do this.
The LGPL makes it perfectly legal for the closed-source antivirus component to not load any 7zip .so binary that is not signed by the antivirus vendor, of a known hash, or so on... and the code loading said shared-object need not be available or modifiable, just the code for the vulnerable .so they do ship.