Are you saying that DNF does an exact version match instead of making the assumption that
packages with version >= X contain a fix for a security bug which the updateinfo
declares to be fixed in X? Or that the updateinfo itself gets purged of advisories that
don't apply to the latest versions available.