Part of that equation is knowing when a security hotfix is available for your Kentico site. Constant Care for Kentico will watch all Kentico Xperience security hotfix releases and notify you if your site is missing any. Constant Care for Kentico covers not having to manually check for new hotfixes that could expose your site to attacks.
The Toolkit for Kentico teams recommends always staying current with all security hotfixes. You shouldn't miss any of them, and you should apply the security hotfixes when they are released. Applying every hotfix is not always possible in the real world, though. There are times when the security hotfix is for a feature that you do not use on your site. The tool also allows you to configure how many missing security hotfixes that your site has. This allows for some tolerance, but keeps you safe from getting too far behind.