That is true. However, Xiaomi is one of the only major sellers that allows you to unlock your bootloader, and they even allow you to re-lock your bootloader after.
So if you want a Xiaomi and care about security, simply remove the bootloader lock and install LineageOS. Some models are officially supported by LineageOS.
That's a good point. Xiaomi deserves praise for keeping the bootloader user-friendly.
LineageOS provides timely Android security updates, but only the manufacturer can provide vendor security patches even when a custom OS is installed. If Xiaomi did this monthly, its phones would be as hacker-friendly as Google's Pixel phones.
On Android there's two kinds of security updates, vendor and platform. LineageOS will provide the monthly platform updates same as on a Pixel, but vendor updates will be the same as a the stock ROM. The basic UI only shows the oldest of the two. In any case it's going to be better than anything except a Pixel.
On LineageOS, the "Android version" screen shows the dates for both the "Android security update" and the "Vendor security patch level" right next to each other.
Xiaomi's update schedule isn't terrible, but it's disappointing that even its flagship devices only get quarterly updates, while other brands including Samsung, Oppo, OnePlus, and Realme commit to monthly or at least bi-monthly updates for their flagships.
Not everyone is willing or able to flash another OS onto their phones, and considering its success, Xiaomi can afford to do better to protect its users with more timely updates.
So if you want a Xiaomi and care about security, simply remove the bootloader lock and install LineageOS. Some models are officially supported by LineageOS.