If you're going to audit your dependencies sufficiently to know that then you don't need a tool like this anyway?

A tool like that won't replace auditing dependencies.

The total age of dependencies tell you nothing useful.

Nor did I claim it would. If you are auditing your dependencies like that then you don't need it, I said, as in it's not going to give you any extra information.

If you're not, and very many people are not, then total age of dependencies is a decent low-effort approximation for the probability of bug fixes affecting parts of dependencies that you're using.

What if security fixes are useful to your project

I count security fixes with "bugs that you would hit in your use case".

I don't care about CVEs that only affect functions my app do not use.