I've been putting some thoughts together at work about how we apply operating system patches - for the HP-UX systems for example you can do some clever things:
1. Get the current patch state and ftp it to HP
2. Go onto their site and analyse what patches you are missing (and any dependencies etc)
3. Collect all these patches together and download them to your server
4. Apply them all in one go
Of course you can specify what sort of patches you are interested in. For example 'CRITICAL' patches are those that can cause data loss or system failures - and these are the ones we are most interested in.
Of course in the perl world CPAN does something similar - you can get a report showing, for all the packages you have installed, if there is a newer version available. But if you want to go further you have to start looking at the README/CHANGES for each individual package (and hope that what the author wrote makes some sense to enable you to decide whether to upgrade or not). And this can be a lot of work if you haven't upgraded for a long time. (And we try to minimise change frequency for our production systems.)
I started wondering if something could be done for CPAN to enable new version to be classified so that you can see if you need to install them - everything from releases that fix serious bugs through minor bugs to added functionality releases.