Hi! If there are important security updates, we would release those for previous versions as well, yes. We also send out patch updates for every user on that minor version, even if their updates have already expired, since we don't want anyone to get stuck on a version with a bug that we fixed. (So if you got v1.9 and your updates expire, you'll still receive all updates before v1.10.)
That said, Prodigy is a developer tool that you run yourself, often locally, and it's designed to be integrated into any infrastructure you may alread have. So it also doesn't include many security-relevant features. And most of the relevant features that are there are provided by third-party open-source libraries. So you'd always have access to those and can perform upgrades yourself.