Generally, really really good.
For example when the krack stuff came out, they basically said that anyone who’s upgraded over the last two months is already fine, because they’re on the short list of companies who had a heads up, and were able to ship fixes as part of their regular updates.
And they weren’t as affected as some of the others either, because they have their own WiFi stack because, their devices typically in addition to CSMA/CA also do their own variant of TDMA, my guess is they probably happened to tweaks something along the way that made them more secure than most other wpa2 implementation by default.
In terms of release engineering of software, generally they have 3 branches of RouterOS firmware for each one of their platforms (they have around a hundred if not more devices but only 7 or 8 platforms). Branches are called “rc”, “current”, and “bugfix”.
There’s 5 year old (or more) routerboards out there that are still getting updates.
What happens is, they keep adding new features to “rc”, let’s say 6.42rc6 (next will be rc7, rc8… and so on). These go out roughly weekly, and some are really bad. Sometime at around rc10 usually, … they’ll say, “hey this is good enough”, and will promote 6.42 to “current” branch, and will spin off 6.43rc0 for new feature work.
Then as it happens with software, even though it’s mostly good more fixes will be needed, 6.42, … so “current”, will receive a 6.42.1 and 6.43 will receive a fix in whatever is the next rc update, and so on.
They also have a super stable branch called bugfix, this is meant for things that run in the middle of nowhere in the desert, or on islands in the pacific where you need a plane or a boat and depending on weather you may not be able to get to. These are currently at 6.38.3.
What happened at some point where they had a security issue in the http server used for configuring devices, … basically that afternoon, a new “bugfix”, “current”, and “rc” all came out, … containing only that one fix.
Basically this means, if you have “skin in the game”, let’s say maybe you’ve deployed a few hundred devices, you’re going to keep just a couple of devices in your lab, and you’ll basically be reporting issues to Mikrotik, who’d be super responsive to you if your issues are on RC. And your devices deployed in the field will be running "current, so by the time “rc” is promoted current, it’s actually good for you.
Now, it’s also very easy to upgrade, downgrade, rollback, change branches to test things out and so on.