This is not about source code (which is mostly all GPL or Apache2 licensed) but about the proprietary vendor files (aka blobs) which MTK probably didn’t allow FP to distribute. Regarding the FP2 it would be interesting to know whether FP gained the permission from QC to distribute these files (like obviously Sony got) or if they are still negotiating (well, FP and transparency, the good old story). The sad thing here is that QC also does not publish these files themselves (unlike their CAF kernels) but - just like MTK - they only give them to the vendors directly, connected to terms for redistribution.
Unfortunately, none of these is effective in adressing the Webview vulnerabilites. Even the “visit only trustworthy websites” stuff is not effective, as we’ve seen in the past that some malware is distributed e.g. by ads shown on trustworthy websites. The bigger issue here is that just any app can make use of the Webview component, and then it’s pretty hard to check / control if the traffic goes exclusively to “trustworthy” websites. Furthermore, if you look at apps which display contents via Webview from social networks - you can only regard the network as “trustworthy” or not, but the network usually doesn’t have much control about the contents the users put there.
You can get the source code for the FP1 as well, including the MTK sources for the kernel. Still this does not help, as the device relies on those closed source blobs which only the vendor can provide (unless somebody comes up with a free replacement).
My last update was that it was not very functional (especially regarding bluetooth problems), but if this has changed meanwhile that’s very good news.
There is no real advantage in running a system which has a 3 months old hole fixed while having a 1 years old hole still open. Often, attackers (especially the less talented ones) are exploiting rather older security holes.
The validation and certification process through which official OS updates by the vendors have to go through before being released is very lengthy and complicated. Especially, when vendors provide various “branded” variants. There are loads of articles explaining this, e.g. this one: