There seems to be a common mode of thinking about #software these days that is something like "updated software is always best". I agree there is some truth to that, but it is unfortunately not that simple. Most vulns were introduced in an update, they were not there from the beginning. "Security is a process, not a product", so how the software is developed changes the relationship between updates and #security, e.g. software that never issues stable updates vs. software with stable releases.
@jack I can't imagine a reason why knowing your software providers is a bad practice, that's what I'm talking about. You can tell Bruce Schneier that "Security is a process, not a product" is bad advice, since I was quoting him. Stable release processes are very much still a thing, as are running releases. The security properties of each have key differences.
@jack I agree that end users who do not look into their software providers should just install updates. That does not mean that we should ban all other discussions about updates, which it sounds like you are recommending. It is dangerous to lull people into complacency to just accepting the status quo because they are not technical. If someone feels threatened, they can also seek out expert advice for things they do not understand. "Updates" also has differences in meaning based on context 1/2
Another key discussion area for #updates is a #developer updating the libraries that they use in their app. Ideally the developer would review all source code changes that the lib update includes. This rarely happens in practice, and we see lots of apps inadvertantly include malware via libs that have been taken over. for example https://portswigger.net/daily-swig/popular-npm-package-ua-parser-js-poisoned-with-cryptomining-password-stealing-malware This is where devs should be thinking about how much they trust lib authors to maintain secure accounts, domain names, upload processes, etc.
Then compare this to getting package updates via the official #Debian repositories, which includes a wide array of proven techniques for securely shipping software packages and #updates. In addition, Debian has good track record over decades. In most setups, I think it is safe to enable the "unattended-upgrades" package which automatically downloads and installs updates for the majority of packages in Debian. This is the best choice for users who do not have the means to do further examination