10 gen is out and even if Intel had know about the vulnerabilities not all of them been fixed. I think the vulnerabilities and fixes can cause performance penalty. Maybe that depends what the vulnerability concerns exactly. Intel chose what vulnerabilities will be fixed and seeing that AMD is really competitive now Intel's decision, not to fix all of them, might be due to the fact Intel want's to stay competitive against AMD because some vulnerabilities are lowering the CPU performance . Could that be correct?
This is as correct as your statement that the fixes don't impact the performance.
10th gen (only on mobile at this point though) is an interesting point. 14nm models of 10th gen is Comet Lake, descendant of Whiskey Lake and kind of on par with Cascade Lake on Xeon side of things. These are in the same boat as Cascade Lake, basically remaining vulnerabilities are SWAPGS and Zombieload V2 (in addition to Spectre V1/2 that are more generic problems).
Ice Lake, the 10nm models of 10th gen are a bit of unknown. These do not seem to have the same vulnerabilities but the information on these is not very easily found. For example the latest Zombieload V2 list of affected CPUs includes Comet Lake 10th gen but not Ice Lake 10th gen. According to what mitigations are enabled by OSs (based on various screenshots and details from the net) as well as Phoronix' mitigation testing articles Ice Lakes do not seem to have most of the speculative execution vulnerabilities.
Again, performance penalty comes largely or entirely due to how mitigations work - these are done is software or firmware to avoid certain vulnerable microarchitectural states as much as possible. When this is ensured to not happen with changes in hardware, software mitigations (and their performance penalty) will not be applied. So far, there does not appear to be a discernible performance difference from fixed vulnerabilities when the fix is in hardware.
When we talk about performance and leave other aspects aside it is very much in Intel's interests to fix as many of these issues as quickly as possible. This does appear to be exactly what they are doing with caveat that the timeframe in question is a year or more. A vulnerability is reported, usually put under embargo for 6 months, then it is published along with some type of mitigations (software, firmware) and next model or revision of CPUs will include a fix for the vulnerability in hardware. In broad strokes this is how all of the issues since Spectre/Meltdown have been handled.