The point is that while the _release_ repository is frozen, developers may as well start working on post-release updates. If someone proposes something as a release blocker (i.e. asks for a freeze exception) and we think about it and say 'no, it's not a severe enough issue to break freeze, you can just ship an update that fixes it', why can't they start working on the update right then? What's the point in making everyone wait until after the release is done to start working on post-release updates? There isn't one. So we don't: once the freeze is in place, you can happily keep working on packages to produce updates, it's just that they're now effectively 'streamed' to go out as post-release updates, not into the release package set. Since they can work on the updates perfectly well before the release is actually sent out, and our update testers can test and verify the updates perfectly well before the release is actually sent out, there's equally little point in artificially delaying the updates so they come out, say, a week after release - why not just have them available on release day, if they've gone through the proper testing process? So that's what we do.
I guess the way it might seem a bit weird if you're not really involved in the process is that we think the changes are safe enough to go out as 0-day updates, but not go into the release package set - isn't that odd? Well, at first it may seem so, but it really isn't. Putting packages into the release package set has consequences which don't apply to them going out as updates. They might cause issues in the image generation process, or they might cause issues during installation, for packages that get baked into the installer; neither of those is a problem if they go out as an update. And in the theoretical case where a 'bad apple' gets through, it's much MUCH better for it to get through as an update than to get into the frozen stream we're working on turning into the release. A bad update can simply be withdrawn or superseded without having any impact on our work to stabilize the release; and even before it's 'officially' discovered and dealt with, it's much easier for an end user to deal with a bad update than with a bad package that sneaks onto the release images. You can just skip the update and stick with the good version of the package from the 'frozen' set.