If he keeps using the Ledger Nano with Electrum software, he won't need to upgrade the firmware unless he chooses to do so. Firmware updates are exclusively carried out via Ledger Live.
Sometimes there are vulnerability here that must be updated, and if they are not obligatory, the user will panic as soon as he hears such vulnerability, and it is not wise not to update the firmware, especially with the popularity of Bitcoin, and it has become the target of hackers and even traditional thieves.
I can remind you of close to one :
ledger vulnerability: Invalid addresses for certain miniscript policiesAgain losing trust is the last thing you need to think about if you are a paranoid so moving to a better wallet would be better, losing part of the money is more important than wasting your health on something not worth it.