In my opinion it is a valid use-case to only want the minimum amount of package changes by only enabling -security. I also think it is a reasonable expectation that upgrades should not fail when it is possible to achieve that.
A possible solution (just in case this hasn't been addressed anyway already, I don't know) could be to automatically enable -updates before distribution upgrades when package changes are made anyway.
In my opinion it is a valid use-case to only want the minimum amount of package changes by only enabling -security. I also think it is a reasonable expectation that upgrades should not fail when it is possible to achieve that.
A possible solution (just in case this hasn't been addressed anyway already, I don't know) could be to automatically enable -updates before distribution upgrades when package changes are made anyway.