Ok, I finally did the experiment myself to see what happends when using LCM Images and updates that are not applied.
I set up a ESXi 7.0GA ESX and checked number of missing patches according to baselines : 23 patches, including 6 critical and 3 security
So I switched to LCM Image and it prompted that baselines will be disabled for that cluster and cannot be reverted.
I selected ESXi 7.0GA as "ESXi Version" in LCM during image setup.
When the LCM Image setup was done, it claimed that my cluster was compliant.
So the 23 missing patches were ignored, good luck with your security while awaiting for the next ESXi image to be released.
While I do understand "desired state" thing and everything feels "this is the way to go", my opinion is that Vmware has missed a critical point in the "day 2" operations as the next security patch has to await next ESXi base image release instead of being incorporated immediately by LCM.