It's a hard decision, I would say a cooldown by default in the last few months would have prevented more attacks than not upgrading to the latest version due to an immediate RCE, zero-click, EPSS 100%, CVSS 10.0, KEV mentioned Zero Day CVE. But now that the Mythos 90 days disclosure window gets closer, I don't know what tsunami of urgent patches is in our way... it's not an easy problem to solve.

I lean toward cooldown by default, and bypass it when an actual reachable exploitable ZeroDay CVE is released.

Use a package repository that fast-tracks security updates, like Debian Stable.