[d2xdy2]

Not sure what I understand what you mean; I approach it much the same way that I keep up with security on my laptop. I find software (plugins) that seem reputable and update them when I get a notification to update them. If I happen to see a vuln pop up on seclist with no update from the publisher, I'll probably deactivate that plugin for a while until there's a response / update.

I think that's a fairly reasonable methodology for any web application or stack-- I run updates on most of my linux machines a few times a week, as needed, to edge out the would-be attackers (or fix other bugs I wasn't aware of).

I personally host the bulk of my stuff on a Linode VPS and just compartmentalize it into areas of duty and responsibility. My blog / portfolio gets the most attention right now from me, but stuff like my time tracking and CRM have their own areas that are "reasonably" separated from stuff like WordPress.