Why are kernel updates no longer categorized as "security updates" in focal?

After upgrading to Focal, I noticed that kernel updates show up in the GUI under "other updates" instead of "security updates". This can lead to delayed notification of critical security fixes, as these updates usually include CVE mitigations.

Screenshot of GUI update notification with kernel update under "other updates"

apt list --upgradable seems to suggest that these updates are no longer part of the focal-security repository? Why? Can this be worked around by configuration, to restore the previous behavior?

~$ apt list --upgradable
Listing... Done
firefox-locale-de/focal-updates,focal-security 112.0.2+build1-0ubuntu0.20.04.1 amd64 [upgradable from: 112.0.1+build1-0ubuntu0.20.04.1]
firefox-locale-en/focal-updates,focal-security 112.0.2+build1-0ubuntu0.20.04.1 amd64 [upgradable from: 112.0.1+build1-0ubuntu0.20.04.1]
firefox/focal-updates,focal-security 112.0.2+build1-0ubuntu0.20.04.1 amd64 [upgradable from: 112.0.1+build1-0ubuntu0.20.04.1]
linux-generic/focal-updates 5.4.0.148.146 amd64 [upgradable from: 5.4.0.147.145]
linux-headers-generic/focal-updates 5.4.0.148.146 amd64 [upgradable from: 5.4.0.147.145]
linux-image-generic/focal-updates 5.4.0.148.146 amd64 [upgradable from: 5.4.0.147.145]
linux-libc-dev/focal-updates 5.4.0-148.165 amd64 [upgradable from: 5.4.0-147.164]
tzdata/focal-updates,focal-updates 2023c-0ubuntu0.20.04.1 all [upgradable from: 2023c-0ubuntu0.20.04.0]


~$ cat /etc/apt/sources.list
###### Ubuntu Main Repos
deb http://de.archive.ubuntu.com/ubuntu focal main restricted universe multiverse

###### Ubuntu Update Repos
deb http://de.archive.ubuntu.com/ubuntu focal-updates main restricted universe multiverse
deb http://de.archive.ubuntu.com/ubuntu focal-security main restricted universe multiverse

###### Ubuntu Partner Repo
deb http://archive.canonical.com/ubuntu focal partner


/etc/update-manager$ grep -r . *
meta-release:[METARELEASE]
meta-release:URI = https://changelogs.ubuntu.com/meta-release
meta-release:URI_LTS = https://changelogs.ubuntu.com/meta-release-lts
meta-release:URI_UNSTABLE_POSTFIX = -development
meta-release:URI_PROPOSED_POSTFIX = -proposed

release-upgrades:[DEFAULT]
release-upgrades:Prompt=lts

release-upgrades.d/ubuntu-advantage-upgrades.cfg:[Sources]
release-upgrades.d/ubuntu-advantage-upgrades.cfg:Pockets=security,updates,proposed,backports,infra-security,infra-updates,apps-security,apps-updates
release-upgrades.d/ubuntu-advantage-upgrades.cfg:[Distro]
release-upgrades.d/ubuntu-advantage-upgrades.cfg:PostInstallScripts=./xorg_fix_proprietary.py, /usr/lib/ubuntu-advantage/upgrade_lts_contract.py

release-upgrades.d/allow-third-party.cfg:[Sources]
release-upgrades.d/allow-third-party.cfg:AllowThirdParty = yes

The Ubuntu Security Team is not yet done working the package. Then it will show up in the security repo.

The image you included has a Launchpad bug number. That bug shows the workflow of this CVE mitigation.

And here's what that workflow says, as of today:

After some research, it appears that this will vary according to the type of kernel update. I've recently installed linux-image-5.15.0-71-generic as kernel update, and I get this information:

$ apt policy linux-image-5.15.0-71-generic
linux-image-5.15.0-71-generic:
  Installed: 5.15.0-71.78
  Candidate: 5.15.0-71.78
  Version table:
 *** 5.15.0-71.78 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status

So here it's evident that this kernel update also includes security patches (CVEs), since it's part of both jammy-updates and jammy-security.

However, if this is not the case, then I would assume that the kernel update is only added to the jammy-updates repository. This would be the case if the update mainly contains bugfixes or other backported features that are not directly security related (no CVEs).