Just keep &security updates& enabled within your panels........... (in the update section of WHManager)
That's by far the most important, and you should never circumvent that no matter how much you think auto-updates are going to ruin your life.
In this case, you only get daemon patches that defend your system against the latest exploits. The day that redhat constructs an rpm to patch an exploit, you can bet darkorb will have it in the rpmupdate that very night. And until an rpm is released, if not immediately, in most cases cpanel will release a patch (whatever procedure is required to secure the daemon without a version update), until the rpm or source is tangible to the public.
That's been my experience, anyway.