In all honesty, I've had to deal with very few of them, and only indirectly. Most notably the heartbleed thing recently. And you know what? It was senior management and IT managers who made that call and accepted the risks. (I'm primarily inside the firewall, so usually not my issue.)
There are times when you have to weigh risks and make choices.
But generally speaking, I don't apply a patch which is fresh and steaming immediately, and then I deploy to a lab and do some testing first.
Assume the worst, and do your best to plan against it. I learned this at the knee of an old neckbeard who'd seen it all, and I think it's served me quite well.
Occasionally, someone accuses me of being a worrier and overly paranoid -- and infrequently someone will override me. On a few of those occasions when it blew up in our faces, I was the one saying this is why I don't do it that way.
There's probably a larger number of times where it would have probably worked just fine.
But I don't get paid to take risks with someone else's stuff, and I work on stuff with a pretty low risk threshold.
So, for me, I will always err on the side of caution of it's an important system.