Anything is possible
99% of a time security updates through iOS updates are a myth for 99% of people. Even old iOS versions are very secure for the average user. However, sometimes, yes, a newer version might address an issue that might have cropped up in the future.
IMO don't update iOS versions for security. Only update for features.
Security updates are similar to preventive medicine. Prevention is taking steps to avoid something that you don't know will actually happen. Since we don't know the future, all we can do is try to anticipate potential events.
While there are occasionally egregious threats that may affect a high percentage of people, most threats (whether software bug or security flaw) affect a small percentage of users. So yes, maybe 99% (or 99.9999%) of users would not have been affected had the bug or flaw never been fixed. However, that doesn't mean the bug or flaw was not real to those who are/would have been affected. The problem is, we can't know whether we would have been part of the 99% or the 1% - we don't have time travel.
We humans tend to be very bad at assessing risk. We sometimes obsess about things that have incredibly low probabilities of happening, while happily doing things on a daily basis that carry far greater probability of harm. But whether low probability or high, it's still
probability. Improbable things still happen - we do stupid, dangerous things and survive, and we can do all the right things and still come to harm. The question is whether we choose the improbable (betting our life's savings on a 100-to-1 long shot in a horse race), or we embrace the probable (betting on the 2-1 favorite). Either can be a losing bet or a winning bet, because probability is not the same thing as sure knowledge (using a time machine to find out which horse actually wins, then returning to the present to make the wager).
Now, to the original question. An interim update (moving from iOS 12.3 to iOS 12.4.7) is nearly always going to enhance security. While there are always exceptions (accidents do happen), the purpose of releasing interim updates is to fix things, not break them. Now, if your friend is interested, this Apple support article describes the changes made in each of iOS 12.x's releases:
https://support.apple.com/HT209084
Since your friend would be jumping from 12.3 to 12.4.7 (skipping 12.3.1, 12.3.2, 12.4, 12.4.1, 12.4.2, 12.4.3, 12.4.4, 12.4.5, and 12.4.6), there's a fairly long list of accumulated items. 12.3.1 through 12.4.1 were released prior to the release of iOS 13, so they include some new features as well as bug fixes and security patches. However, 12.4.2 - 12.4.7 have been released after the introduction of iOS 13 - as is typical with Apple, those contain
only security fixes.
That iPad Mini 2 cannot run iOS 13. At the moment, iOS 12.4.7 is the highest that iPad can go. I don't have a crystal ball, so I can't say whether it will be the last-ever update available for that iPad, but any future updates are also likely to be security fixes.
Your friend
probably won't be hurt by doing nothing. Your friend
probably won't be hurt by installing the update. However, even people who are highly skeptical of software updates consider security patches to be a no-brainer - incredibly low probability of harm, with the potential benefit of enhanced security.
