It would be great to try using Dependabot on @jenkinsci repos. It should be free for us.
For example, plugin-pom could automatically get PRs filed when there are plugin updates available, including from maven-hpi-plugin. Various Jenkins plugins could even get PRs filed to update at least their parent.
Presumably we would want to use configuration-as-code.
I am not personally able to authorize the app for @jenkinsci to try it out; probably needs an org admin.