Generally, that mutable data is on externally mounted volumes or stores though and not in the container itself, right? Except for what is read into container memory and written out to temporary or work files.
True, but restarting a service, remounting all the data, waiting until everything has synced etc, just to apply a security patch is a big downside of the immutable approach