Best practise: choose your frameworks wisely.
Update only what needs updating (considering dependencies). Read the changelog to see if any security fixes are required (if not, why update?) and properly test the update before migrating to production. (And highly likely: dream about automated testing for the next project)