For the security issues, how is the version being determined? Does it provide a specific CVE? Keep in mind many apps will report a specific version, but many distros back port security fixes that aren’t reflected in the version number, as they are intended to remain compatible with all things that integrate with that version. You will find this a lot with CVEs for Apache and NGINX for Ubuntu. If you look up the specific CVE, usually you will find out that its already patched, but the reported version (the number chosen by the developer not the package maintainer) doesn’t change.
Lighthouse tests, especially in terms of “optimizing stuff” is made for normla websites.
Comparing a normal website to a big ass web app like Zammad is, is like comparing the power of an bycicle and a car.
We regulary update dependencies with best effort possible.