By default, after an update, Android installs a new recovery image during the first boot of that update. We currently have this disabled. If you relock the only way to ever update your recovery image is to unlock (wiping the device & losing encryption keys), flash a new image, and relock. This would need to happen for any discovered kernel exploit (read: about once a month) to avoid having an insecure device.
If the update feature's enabled, there's a chance that after an upgrade, recovery gets updated to a version that no longer boots. We don't QA every build like you see from an actual OEM, they're provided as nightly builds (on a weekly basis). One bug and your expensive device is now a brick.
If the update feature's enabled, there's a chance that after an upgrade, recovery gets updated to a version that no longer boots. We don't QA every build like you see from an actual OEM, they're provided as nightly builds (on a weekly basis). One bug and your expensive device is now a brick.