Security patches can be applied directly after Google has published them in the Android Security Bulletins and there is no middle(wo)man needed. See this blog post about FP1, for example:
[quote]Now that Fairphone has control over the Fairphone 1 source code, what’s next? First of all, we can say that we have no plans to stop supporting the Fairphone hardware. We will continue to apply security fixes as long as it is feasible for the years to come. We will also keep exploring ways to increase the longevity of the Fairphone 1. [/quote] (bold by me)
The Android Security Bulletin for May 2017 (published on 1st May), for example, says the following:
Partners were notified of the issues described in the bulletin on April 03, 2017 or earlier.
So yes, Qualcomm (the chipset manufacturer) gets notified way earlier about vulnerabilities, but Fairphone receives them, when all other vendors get them too (unless they have other intransparent agreements in place… 
). Btw., there are always two security patch levels: 2017-xx-01 and 2017-xx-05. The first one is partial and only the second one includes all security fixes for that month.
Fixes for general Android vulnerabilities and for Qualcomm-specific issues are released at the same time in the Security Bulletin. (Also see 4. in the Q&A-section of the bulletins.)