I am under the impression that even using something like this will leave a person open to vulnerabilities. Is that the case? In other words, some parts of the system (firmware etc) cannot be upgraded.
Using a custom rom usually puts you in an equal or better position compared to stock. If the vendor releases a new version with updated firmware blobs, then lineage can just update to use those blobs, but for the parts that lineage can patch (which is most of the OS, just not some low-level drivers and such) it's usually far more up to date than what the manufacturer ships, and will only become more so as the manufacturer drops support after a few months. Exceptions exist, but they're rare.