Your friends show two distant points on the patching spectrum we have to make all the time.
Neither is right, nor wholly wrong. The first friend doesn't worry so much about stability, and for himself that's fine. He knows the choices he's making and he's really into that. Good for him. The second friend is more conservative and more in line with what the mainstream hopes for and expects. I'd like to know what they consider "serious security" updates, because it could be anywhere from reasonable security to complete insecurity. This is why most environments have tiers of patching and testing. We know we need to get security updates out as much as possible. Some people get more value out of being on the bleeding edge than having a stable install, others can't/won't have their work interrupted for any cost. This is also why this argument is silly to have between two people on which way is "better."
As for what I do? My home system gets updates as soon as I see they're available. I occasionally play with nightlies or betas, on a VM, to see if there are major interface tweaks, a new feature I want, or whatever else I'm interested in. I'd never suggest that for most of my friends or relatives.
Incidentally, that's pretty much how it goes at work. Most of the people I work with in IT, and a few select users are in the first group. Most people get security updates quickly, and well vetted other updates when they're more thoroughly tested.