Why is it a security risk? If the template is never run and there are no qubes based on it, then the fact that it is never updated causes no harm. It doesn’t need to be updated, because it is never used.
“Ah,” you might say, “But what if I want to start using it someday? Then it’ll be terribly out-of-date!”
True, but the same can be said of a fresh template that you install in dom0 from the official repo. For example, if you install the Debian 10 template from the official repo in dom0 right now, you’ll have a template that hasn’t been updated in over two years! You will then simply update it yourself before you start using it, which the documentation already says to do. (From what I understand after asking the devs, this is not a problem so long as there have not been any bugs discovered in the template OS’s update mechanism since then.)