Rebuild: no. If the software itself is unmaintained, it gets replaced.

Patch: yes. If the base image contains vulnerabilities that can be fixed with a package update, then that gets applied. The patch size and side effects can be minimized by using copacetic, which can ingest Trivy scan results to identify vulnerabilities.

There’s also repos like Chainguard and Docker hardened images which are handy for getting up to date images of commonly used tools.