To add to your patching notes, it also falls under how much planned downtime can you get. I have some systems that require maximum uptime and downtime on them is highly disruptive to the company. So scheduling some downtime may take weeks or months just to get all of the approvals to do maintenance on a system and to have it work around my schedule too.
Most of the systems I manage are thankfully internal-only so little to no risk of a breach unless someone gets into our VPN. And that could happen, but it is not likely.
And then there are the systems that REQUIRE specific versions of additional tools. We had a warehousing tool that required Java 6 when Java 8 was the latest and greatest. Updating Java resulted in the app failing to start. We also have tools that bundle other tools with them and updating MUST be done by the parent tool to reduce the chance of errors - main tool relies on nginx and apache tomcat and a specific version of Java as an example. So even though Tomcat may have an update, I can't apply it until the main tool approves that version of Tomcat for production use.
The above is all just my opinion on what you should do.
As with all advice you find on a random internet forum - you shouldn't blindly follow it. Always test on a test server to see if there is negative side effects before making changes to live!
I recommend you NEVER run "random code" you found online on any system you care about UNLESS you understand and can verify the code OR you don't care if the code trashes your system.