All nation state actors need is an exploit against the browser or social engineer, escalate privileges and a VM escape exploit. Which some journalists are targets of.
Running newer kernels can stop some of them. Maybe you could do something like the Ubuntu LTS release schedule with new kernel updates.
I guess the main issue is that Whonix is based on Debian stable which is a distribution with a pretty conservative release policy. Each package in Debian stable repository is being tested for month and years before it is released. So, if a user wants to run a newer kernel, he can visit
Donwload the newest Linux kernel tarball, build the kernel and install it manually. It is not always needed though because on Linux hosts, newer kernel versions often don’t support VirtualBox kernel module. As for guest OS, Whonix is secure by design which means any Workstation with any kernel version is safe.