Depends, on how critical something is…since we deal with servers / customers at work that often are purposely not adjusted for years…because introducing a different behaviour (even if better) would grind production to a halt, I take a not careful approach.

I was using OpenSUSE Leap, and with zypper you can review which patches are available, whether they are critical or run recommended or not needed. You can then apply which specific patch you want be CVE if necessary.

But with Leap’s path seaming messy at the moment, I moved to Tumbleweed, since you have snapshotying built in. If an update did mess something up you just rollback to the previous snapshot and in less than a minute it is fixed