Microsoft has released the criteria used to determine whether a reported and confirmed vulnerability is resolved through a security update or in the next version of Windows. These criteria were released in order to provide insight into the decision making progress and to receive feed back from security researchers.
According to Microsoft, when a vulnerability is reported they evaluate how it should be handled by asking two questions.
If the answer to both of those questions is "Yes", then a security update will be released. On the other hand, if the answer to either of the questions is "No", then the vulnerabilitity is usually, but not always, pushed towards being fixed in a new version of the software instead.
For security boundaries, Microsoft is committed to protecting them, but interestingly not all Windows security features have that same promise.
A "Security Boundary" is defined by Microsoft as the "logical separation between the code and data of security domains with different levels of trust". Bypassing these vulnerabilities is obviously a problem as it means code is being run to perform tasks that should normally not be allowed.
For example, a violation of the "Kernel Boundary" would be if a user mode process is able to access and modify the data or code of the Kernel. Another example that violates the "Virtual Machine Boundary" is if a process in a Guest virtual machine could modify the data or code of the host machine or another guest virtual machine.
Other security boundaries include the Network boundary, Process boundary, AppContainer sandbox boundary, Session boundary, Web browser boundary, Virtual Secure Mode boundary. Microsoft has committed to protecting all of these boundaries from vulnerabilities that could potentially bypass them.
While Microsoft is committed to protecting all security boundaries, not all security features are treated the same way. Microsoft explains how they are committed to protecting some security features, but there are other features called "Defense-in-depth" features that they do not have the same commitment.
For example, some security features have an expectation to work as intended, and if they don't, Microsoft promises to resolve them. These include "Windows Hello / Biometrics", "Secure Boot", and "Bitlocker", which all have a strict definition as to how they are intended to secure a computer and its data.
On the other hand, "Defense-in-depth" features are ones that are intended to protect some aspect of Windows, but have no promise to do so. This is because they require an existing "security boundary" to be breached in order to exploit them. Thus fixing the more critical vulnerability in the boundary would protected the defense-in-depth feature from being exploited.
These defense-in-depth features include applications such as Controlled Folder Access, Windows Defender, AppLocker, and User Account Control (UAC). Vulnerabilities in these features will not lead to a security update, but may be resolved in future updates of Windows.
The last part of the decision process is the severity of the vulnerability. If the vulnerability is Critical or Severe and affects a security boundary or security feature with a promised commitment, then a security update will be released.
On the other hand, if it does not meet both of these criteria, the vulnerability may not be fixed until a new Windows update is released.