That’s an excellent point. Given that your link is to the site of the private company running the program, I guess the argument for not specifying the review period is that it is up to the TSA. No link to any relevant policy or document at the TSA site, though. Anyone feel like searching for it? Of course, it is likely the TSA would use the old saw that revealing any details of their continuous security review would pose a security risk.
Regardless, I can imagine any number of problems with data that is too old. I doubt that the TSA would update so frequently that they would introduce problems at that end of the spectrum. Interesting that the private vendor just uses a go/no go from the TSA to maintain their credentials. Makes you wonder if a man-in-the-middle attack to wreak havoc on the system, if the trust between these bozos and the TSA is poorly managed.