How is that any different than updating a Go app? If a security issue arises in an older version of Go, it doesn’t magically fix in your app until you recompile it.
Java also has a multi decade history of remaining backwards compatible across major version upgrades. Barring known exceptions for things explicitly being removed, I don’t see that changing.
That Go may or may not be a trustworthy foundation to build on for the future you can't say it yet, but Google isn't very trustworthy on this front, while for Java oracle has been very boring but stable.
Having a self-contained single JAR that doesn't even depend on the host's ABI or OS and requires exactly one system dep - a JVM - is even nicer. And if you do want a statically linked self-contained ABI-OS specific binary Java give you that too now.
Java also has a multi decade history of remaining backwards compatible across major version upgrades. Barring known exceptions for things explicitly being removed, I don’t see that changing.