Things like dependabot or renovate solves the problem of letting you know when security updates are available, letting you have your cake and eat it too.