Yes, and the vast majority of those millions of people have an arrangement with their OS vendor to receive updates, including security-related updates.
The ones who don't rely on Windows Update, Red Hat alerts, or similar services from various vendors are the ones who have presumably chosen an operating system deliberately outside of those with curated update procedures -- and please note that even relatively small projects tend to have security notification lists.
That leaves a vastly outnumbered, tiny minority of people who are either willfully ignoring crucial information or are constitutionally unable to consume it, and neither group is doing humanity any great service in the process.
In short, retaining a PR firm does nothing to enhance the overall internet's security posture, and just leads to a lot of half-informed worry on the part of people who can't take any action anyway.
The ones who don't rely on Windows Update, Red Hat alerts, or similar services from various vendors are the ones who have presumably chosen an operating system deliberately outside of those with curated update procedures -- and please note that even relatively small projects tend to have security notification lists.
That leaves a vastly outnumbered, tiny minority of people who are either willfully ignoring crucial information or are constitutionally unable to consume it, and neither group is doing humanity any great service in the process.
In short, retaining a PR firm does nothing to enhance the overall internet's security posture, and just leads to a lot of half-informed worry on the part of people who can't take any action anyway.