I just wrote a post on this. We have an eBPF + SBOM based security tool and it runs great due to hooking the kernel directly via Kube DaemonSet: https://edgebit.io/blog/base-os-vulnerabilities/
tl;dr: Amazon prioritizes patching really well, fixing real issues first
tl;dr: Amazon prioritizes patching really well, fixing real issues first