https://github.com/hadolint/hadolint/wiki/DL3005 suggests not running package updates. This is a bad idea, because it means many users won't get security updates installed.

For example, the official CentOS images only get sregenerated every few months. At time of filing this issue, the centos:8 image hasn't been updated for 3 months (https://hub.docker.com/_/centos?tab=tags&page=1&ordering=last_updated). (Yes, CentOS is EOLing soon, but that's irrelevant to this point).

Similarly, while official Python Docker do get rebuilt more often, there are often windows of a few days where Debian has released security updates, but images haven't been regenerated. Without apt-get upgrade, those updates will not get installed in a timely manner.