I believe the point is that if you delay patches until X days after release, usually someone will catch it and the maintainer or the package manager will pull the infected release. Thus, by you doing nothing and waiting X days, you protect yourself by never even getting the bad release. Then on the flip side, you just keep up with urgent security updates and push bad ones through faster after vetting them.