The use of a non-static tag is intentional to pick up security and bug fixes. It's like using a "stable" branch, where you expect to get any emergency fixes to the stable branch. Only in this case it's a release-specific stable branch. If you ran a system with some compliance mandate that not even security fixes could be automatically applied, then you'd pin to the hash.