You’re right on all counts; the only issue is that software is complex, it’s written (still mostly) by humans and humans make mistakes.
TL;DR If you have an issue related to updated_at and need it to follow the specification then based on the information I found, for now we can enable a flag in the affected tenants in order for the response to be compliant.
The long story, the service exists before OIDC specification were finalized and when we introduced the admin facing OIDC conformant toggle we missed that updated_at was returning an incorrect type. In other words, technically if we had fixed this when it was found it could technically break customers that were already had enabled the client option but also made the same mistake as us and continued treating updated at as string.
The definitive fix requires a migration and is listed in (Deprecations and Migrations), although it does not yet have a concrete timeline.
If you have a paid subscription you should open a support ticket and tell us the affected tenants; if you don’t have access to support tickets you can DM me the tenant, but this option may be subject to a bit more delays and it depends on me being online.