But why do I still have 2018 updates (4 years ago in the package)?
Because there's no mechanism to remove unexpired updates from a package. Do not confuse the package with a deployment group, they are two completely different things and are not specifically linked.
If you want to remove these older updates from the package, you can easily go into the package and manually remove them ensuring you only remove those that are not deployed (there's a column for that in the package view so this is easily done). However, how do you know nothing will ever need these updates again? How do you know an admin won't remove one of these older security updates? Why is 80GB a big deal? Assuming you are using cheap storage (which you 100% should be for content storage in ConfigMgr) this is like $100 of disk space (if that even) so removing them has no benefit except to slow the process down if one of these updates is ever needed again.
I do strongly recommend that you revise your ADR though. Here's an older blog of mine where I cover my recommended "starting point" for ADRs: https://home.memftw.com/software-updates-and-automatic-deployment-rules-in-configmgr/