Here's the problem: Google Play states the following in the email (I also got the email) :
While these specific issues may not affect every app that uses Apache Cordova, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered Dangerous Products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.
So if you don't update your apps, technically you could get a Google Play account strike after May 2016.
Here's the kicker; I've updated apps in the past for similar issues and the update launches another verification of your app. During that verification there is a reasonable chance that your app will get flagged for a totally unrelated issue and generate a policy strike. It happened to me last time. A 2-year old app got a policy strike for something it was not violating.
So, do we feel lucky?