It's perfectly okay for you to put GPLv3 software in ROM that nobody can ever modify and then sell me the hardware. What's not okay is selling me hardware where you can modify the software after the fact, but I can't. And it's also okay for your hardware to detect if I modified the software. It just can't refuse to work if I did.
And this is where the FSF makes the weird trade off that they prefer to not have security updates as that's more "free" than being able to get security updates from the manufacturer. Either way you can't update it, but at least in the scenario the FSF opposes the users are able to be more secure.
this has nothing to do with security updates. any vendor is free to ship security updates however vendors often decide to refuse updates to "tainted" devices.