The Raspberry Pi OS image provided applies the maximum security best practices 
As mentioned by @lmilcent in the Docker Gladys container, with each deployment of a new version, Gladys is redeployed with a fresh container based on a fully up-to-date system, and all dependencies are updated when security vulnerabilities are reported.
However, this is not entirely true!
We use the « unattended-upgrade » package at the system image level, which runs every night to automatically update system packages that have security vulnerabilities and can be patched without a reboot, and only those to avoid breaking the system.
The only thing this package does not do is in case of a critical vulnerability at the kernel level, it is impossible to apply the patch without a reboot. On the Gladys side, we cannot decide when to perform the reboot because home automation is a critical program. If you use Gladys as an alarm and Gladys starts rebooting at the moment you are being burglarized at night, that’s not ideal!
However, Linux kernel vulnerabilities are rarer, generally we hear about them and we can communicate with the community and say that you need to reboot your system.