Old Router Security

I’m not super clear on whether OpenWrt actually provides updates to fix hardware-level vulnerabilities, or if it just provides operating system/software-level support.

Once a router reaches EoL and is no longer receiving updates from the vendor, is it ok security-wise to continue using it with the latest version of OpenWrt, or are there likely to be hardware vulnerabilities specific to the router that might not be addressed by OpenWrt?

It should be fine, afaik they do their own standardised firmware. I don’t think they use OEM specific firmware patches in the first place. OEM like TP-Link never updates their device anyway, even selling routers with linux kernel 3 or 4