does ARM receive security updates in source code form?

I know that the ARM port is Tier 2 and this means that there are no official releases or binary packages.

However, when Tier 1 platforms receive a security update, does ARM receive it too, in source code form? Can I simply recompile and have the patched version?
I think that release patches are simply that. Patches to source of a release. So yes you can patch ARM.
The patches are released by the security team. FreeBSD 11 is at p3 currently.
I don't think freebsd-update works on ARM so you might have to manually apply the patches and recompile.
This can be time consuming and requires a 16GB microSD.

You could use a crochet build box on patched source to build patched images for deployment.
This would require a strategy for locally saved data on device.
Yes, the security patches are applied on all platforms where they matter including ARM. You don't want to use the patches from the security advisories manually because they are already included in the corresponding releng branch, for example if you want to update your ARM system running 11.0-RELEASE with the latest security patches you should fetch the sources from and use them to compile a new version of the OS and install it.
I see so the /base/release folder is the frozen release and /base/releng/ is the patched release .

The release paths are what are called "tags" in revision control lingo:

SVN doesn't however implement tags at all, instead what you have to do is make a new branch with svn copy and freeze it by agreeing that the new branch gets no updates.

Normally by convention SVN repositories have a /tags directory for storing those tagged versions but in FreeBSD's case the base system repository uses a different convention by using the release/* directories.
For now, this sounds more than what I'd like to invest in time and effort. Maybe I'll reconsider but I read that the next version will bring ARM64 in Tier 1, so we're very close to that!

Thanks guys!