Then leave one security patch out of the update and push it to the next one.

So put in the full work to patch things, but do it slightly wrong on purpose? What do companies gain by being so passive-aggressive?

Higher revenues through induced obsolescence?

Delaying patches slightly doesn't really help revenues unless it's widely publicized, in which case they look bad and possibly get sued and it doesn't even save them any effort. Maybe it's a risk, but I'll definitely take that risk over what we have today.