You are still missing my point. All phones actively supported by Lineage OS get Android security patches. Those aren't vendor patches but they do patch the OS and sometimes the kernel.
Not to say that you should still buy it. However, if it cheap it might be worth it.
Also from the article you linked:
Although the incident forced LineageOS to take offline all its service, it did not impact the signing keys that authenticate distributions because they are stored on hosts separate from the main infrastructure.