"I think [the priority list] flows like this: You need
a good, secure configuration. If that's done and deployed, you
focus on understanding updates to programs. In other words, you
want to look at all package updates and know what was fixed and if
you need to update for it. Aside from that you need a good
monitoring technique to ensure the systems you so carefully
configured stay that way. Having a good handle on monitoring the
security events being generated is one of the more important things
to do assuming that a system is properly configured. You need to
understand what's recorded in the security logs so that one day,
when something odd shows up, you can spot it
immediately"