Advice to OSS projects that are exposing a public interface: implement an update checker with very visible admin notifications.
We did this for Mastodon 4.2, and it allowed our latest security release to reach 90% active user adoption in less than 48 hours, which took weeks previously.
Also, you should probably have a written guide on how to do your security releases, I hope I can share ours at some point.
You can check the update checker implemention here: https://github.com/mastodon/mastodon/pull/26582