[Tams80]

It's a DAP. I mean, sure, you could be doing smart device things on it, but really it only runs Android to get easy access to streaming services and media apps.

So it doesn't really matter, as the vast majority of owners aren't going to be doing anything that will get it compromised. Many might never connect it to the Internet again after setup.

[jwatt]

I agree the number of attack vectors is significantly reduced in comparison to the same version of Android on a smartphone (particularly if the user is making little or no use of the music player's already limited app store). But there are still many, many CVEs for Bluetooth, for example. Taking the Bluetooth example, I would be happier connecting to a hire car's audio system with a version of Android that is getting patched than a version that is not, and may have known vulnerabilities. I don't want my DAP to potentially be a vector for transferring malware around.