Not directly an answer, but one of the big issues with security patches for custom ROMs is the amount of patches they don't (read can't) ship. The proprietary blobs are very often not patched when the device is vendor-supported, and once it reaches end of life from the vendor (but the community ROMs give devices significantly extended longevity), there's no more patches to these blobs.
Blobs incorporate the modem, baseband firmware, bootloaders, and many (most?) of the hardware drivers and imaging drivers.
51% of Android kernel vulnerabilities in vendor drivers are a result of missing or incorrect bounds checks, and over the whole Android kernel, 44% of all vulnerabilities were missing bounds checks, and 12% for null pointer dereference.
Looking across the whole kernel, from Jan 2014 to April 2016, 85% of kernel bugs are born in vendor drivers, with the remainder in the core kernel.
Vendors therefore are shown to write bad code. It's fairly safe to assume this is reflective of the quality of their blobs too - there's certainly a load of vulnerabilities in those if you look at the Android Security bulletins for bugs without a source reference for the fix.
So agreement with your concern, but I'd just like to highlight that custom ROMs are not really a good security solution, as there's just so much to fix (at a kernel level, requiring detailed driver knowledge of the vendor/SoC stuff), and blobs that won't get updated after the vendor abandons the phone.