I run all updates through my build and unit test environment as they come out. It is much easier to do many small updates every other week or so than it is to try to do thousands once a year and only pick and choose security issues.
If something is difficult do it a lot and it will become easy.
I've also become a fan of the anti-long uptime for my Linux hosts. if a host has more than 30 days uptime it gets rebooted. Not because of hanging drivers or leaky memory but because I need to have confidence that all the boot scripts and services are in place correctly will come back up. I also like to randomly pick servers from the environment and completely kill them, in production. It is the only way to test that your recovery procedures are as good as you "planned" them to be.
First Harden your environment then Temper it and continuously test it.