A middle road is also possible. I use a self-hosted opensource hosting system (https://github.com/omega8cc/boa) which automatically patched all my sites upon release of the advisory. This may not work for all vulnerabilities, but it was very convenient for the last two Drupal vulnerabilities.