unattended-upgrades
Whilst I understand the need of making sure an update will not break existing functionality on a server I have never had a problem updating a debian based system. The (old)stable version of course.
As long as you make sure you keep your system sane and, for example, if you install custom software, make sure it's installed in a different location and if the distro has the software as a package then possibly un-install it. Say if you have your own customised bugzilla installation, then do not stupidly keep the distribution provided bugzilla package lying around and just install your own version over the system installed one. Then your shiny new bugzilla will break with the next system update (actual real life case of a (badly managed) server I took over early in a job many years ago).
On many systems I have enabled the unattended-upgrades package to update on a daily basis and I quite trust debian (old)stable updates (and ubuntu lts if you must) to happen without problems and it always has. I believe that the low chance of an update breaking something weighs up against having security patches installed as soon as possible in an automated way. In my experience people who disagree with it strongest also unfortunately have the least understanding of the subject matter.
If you want to make extra sure then only enable the security patches to be updated automatically, and leave less important updates to be done by hand.
You protect yourself against "breakage" in other ways, redundancy etc. Not by holding back on security updates.