> security must be outsourced to a company. I don’t have time to keep on top of vulnerabilities.
If the software you host constantly has vulnerabilities and something like apt install unattended-upgrades doesn't resolve them, maybe the software simply isn't fit for hosting no matter what team you put on it. That hired team might as well just spend some time making it secure rather than "keeping on top of vulnerabilities"
There's only a handful of web apps packaged in the OS repo. Even wildly popular software like WordPress and Drupal you need to use their built in facilities or manually apply outside the OS update manager
If the software you host constantly has vulnerabilities and something like apt install unattended-upgrades doesn't resolve them, maybe the software simply isn't fit for hosting no matter what team you put on it. That hired team might as well just spend some time making it secure rather than "keeping on top of vulnerabilities"