It might be surprising, but a security patch is not limited to just the operating system of a computer. Most security patch updates are installed to repair weaknesses in the code of a web browser. There are a few third party choices in the web browser arena, and no matter which you choose to use, at some point it will require a security patch to update it and properly secure it from vulnerabilities. Reputable software manufacturers regularly develop and distribute an updated security patch as demanded by exposed vulnerabilities present in their code.
Beyond web browsers, any application that is capable of accessing the internet and exposing itself outside your network is a potential liability, which is why all sort of applications will have security patch updates distributed. The frequency may not match the pace of operating systems and browsers, but still the effort is present in many popular programs. Free ones that play music, office editors, drawing programs all have some sort of web capability that demands they be updated with a security patch regularly to eliminate any known openings for hackers to take advantage of.
Just because a program, for example, can only edit photos does not mean that a well executed intrusion will limit damage to only picture files. Once access is gained, a hacker could use an opening to perform almost any task on your system. Which underscores the importance of putting a new security patch in place as soon as it is available and regardless of whether the intended program appears to be innocuous. A path inside from not having an up to date security patch is just as harmful, whether it be happening through a document reader or your web browser. If you have the latest security patch in place across all applications, you weed out even the tiniest of openings to keep your system safe.