Well, at least xdg-app has the concept of "runtimes" shared among applications.
If a lib/bin in a runtime has a security issued, the whole runtime might be updated. Transparently for the apps running over it.
A runtime might be FreeDesktop-1, Gnome-3.14 for example.
Lets say a 0day is discovered and patched in gtk 3.14, a new version of the Gnome-3.14 is issued and dl by the clients.
Magically (with the help of overlayfs and co) all the apps depending on this specific runtime have a secure gtk.
