Imagine I have installed a new Ubuntu distribution from .ISO. After installation all software packages that came from the .ISO must be : frozen packages.
The frozen packages were obviously not patched. My question is: When the system does the security update, how does it know which software needs to be patched? Do they maintain an software inventory and a patch history, and apply whatever was missing between the .ISO's release and current time?
I think you need to step back a little. I don't think you understand how package management works in Ubuntu. I'll have a stab at explaining it at a high level —as to not write a whole book on the subject— but still cover your questions.
Each Ubuntu release has its own set of online package repositories.
A package repository is (essentially) just a directory with a pile of package files and a release file that lets you see what packages versions it contains
The "frozen" state of the package versions doesn't mean they never get updated. Maintainers try to leave packages on the same major version as at release, but security patches do get backported. And there are exceptions to this, Firefox being the obvious one, but I won't get too bogged down in the politics here.
When an security issue arises and something can be patched, the maintainer applies that patch to the version of software being used in that version of Ubuntu —for each supported version of Ubuntu— and builds packages for them, uploads them to the repo and the release file is updated.
Ubuntu systems can then (via Apt, the package manager) download these updated release files, see which packages can be updated and can then download and install the updates.
The installer will also offer to download these updates while it's installing. The first proper run of Ubuntu can be using fully updated software.
That should give you some sort of idea of the process. There's a ton of stuff happening behind the scenes but as I said, I wanted to avoid writing a book about this here.
The "patch history" and difference between ISO and current aren't really something exposed to the user. Ubuntu will just try to get the latest in the repo and the package maintainers take care of the rest. That said, you can see the package changelogs for some packages with (eg) apt changelog gnome-shell.
