This may be hijacking the original thread, but one thing that I’ve found useful is subscribing to the freebsd security mailing list. The mail is full of good information, mitigation techniques if possible, but always “what does this impact”. Based on that you can decide how critical the update is to you. Say a CVE is issued for sendmail that affects servers: if you are not running a publicly visible mail server (or not running one at all), that CVE while critical, is of lower importance for you to patch than someone using Sendmail for a publicly visible mail server.
Security vulnerabilities are worth actually reading and trying to understand the attack vector. If it requires root access while physically in front of the machine, you can control that. Remote privilege escalation simply by visiting a website with bad html, those I worry about.
I happen to like the STABLE/UNSTABLE that the team came up with. I don’t feel like I’m “always updating” and they’re saving me the trouble of updating a system and associated ports: if you’ve never done a make buildkernel && make buildworld && make installkernel && reboot && make installworld && rebuild all your ports, trust me when I say “let them do the work”.