Apply security and feature updates.
Drupal core and contributed extensions receive updates as security vulnerabilities are fixed and features are added.
We need to apply these patches regularly to keep sites secure and operational.
When all goes well, these updates apply, database updates are run, and all is well.
In the worst case scenario, the updates break the site.
In order to serve our clients, we need to educate them on what it realistically takes to maintain Drupal sites, while doing our best to keep things running without wasting time and effort.
Security Updates
Drupal has a core maintainer team that actively resolves security issues. When vulnerabilities are discovered, they are reported to the team. They work out a patch and facilitate a release and announcement to get sites updated. Once the patch is released, hackers can figure out the vulnerability pretty easily, so it is critical to apply patches.
Sometimes the threat is mitigated already on your site, like a highly trusted user would have to do something bad, or untrusted users don't have a required permission for the exploit. However, you may often not completely understand the risk, or have complete awareness of how the site was built, so it is best to be cautious.
Patches
Drupal uses a patch contribution workflow, where issues are created and patches uploaded for review. We can apply these patches to our site to fix issues that are not resolved yet in a release.
When using patches, a higher level of attention is needed when applying updates. Hopefully the patch you use gets added to the module and it's downloaded in the next release. Otherwise, you have to check for updates to apply, and review and test if they work.
Merge Requests
Drupal development has started to use merge requests in gitlab. Look out for updates there, as well as in patches in issue queues.