The first generation iPad Air, iPad mini2 and mini3 can only be updated to iOS 12.5.4. With this version installed, you will have one of these three models.
Apple ended major update support for these models of iPad in September 2019 - although they since continue to receive “point” security updates - the most recent being released just a few weeks ago. These devices cannot be updated to iPadOS 13 (or any later major versions of iPadOS) as the internal hardware does not meet the minimum technical requirements (CPU and RAM) for newer versions of iOS/iPadOS.
The iOS/iPadOS 14.8 release addresses a specific security vulnerability that is not exposed in iOS 12.x.
I hope this information provides helpful clarity.
Given that your device is within its twilight period of update support, you might be well advised to consider replacement with a more recent device - in so doing benefiting from both enhanced functionality and full update support.
Due to the system architecture of iOS/iPadOS, unless jailbroken (don’t go there!), your iPad is not susceptible to traditional malware infection per-se. However, as with all computer systems, there are still vulnerabilities and exploits to which you remain vulnerable. Be wary of the myth that Apple devices are immune to malware; those that perpetuate this untruth simply do not understand the broader threat landscape. There are additional protective measures that you can implement - these being applicable to all versions of iOS/iPadOS.
Browser-based attacks can largely be mitigated by installing a good Content and Ad-blocking product. One of the very best and most respected within the Apple App Store - designed for iPad, iPhone and Mac - is 1Blocker for Safari.
https://apps.apple.com/gb/app/1blocker-for-safari/id1365531024
1Blocker is highly configurable - and crucially does not rely upon an external proxy-service of dubious provenance. All processing takes place on your device - and contrary to expectations, Safari will run faster and more efficiently.
Unwanted content is not simply filtered after download (a technique used by basic/inferior products), but instead undesirable embedded content blocked form download. A further benefit on metered services, such as cellular connections where you data may be capped or chargeable, this not only improves speed but also saves you money. Recently introduced is an additional “firewall” security measure that provides protection from other threats. More information can be found on the Developer’s website:
https://1blocker.com/
A further measure to improve protection is to use a trusted Recursive DNS Service in preference to automatic settings. This can either be set on a per-device basis in Settings, or can be set-up on your home Router. I strongly recommend using one of the following services - for which IPv4 and IPv6 server addresses are listed:
Quad9 (recommended)
9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::9
OpenDNS
208.67.222.222
208.67.220.220
2620:0:ccc::2
2620:0:ccd::2
Cloudflare+APNIC
1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001
Use of the above DNS services will help to shield you from “known bad” websites and URLs - and when used alongside 1Blocker, or other Content Blocker provides defense in depth.
There are advanced techniques to further “harden” iOS/iPadOS, but these are perhaps beyond the immediate skills of novice users.
I hope this information and insight proves to be helpful.