Until now I maintained strict policy for upgrades in Whonix stable apt repository:
- only fix grave usability bugs, such as the Tor Browser 4.x compatibility fix
- and of course also planned to also ship security fixes should issues be reported
This is similar to Debian stable.
The reason is, should I also add other upgrades before a major version and through testing, an upgrade could create a mess for everyone. Not as in security, but as in broken dependencies, upgrader and such stuff. The prevent such a worst case, this policy is in place.
I am considering to make an exception for packages that are not installed by default where the gain would be huge. The Whonix AppArmor profiles. (https://github.com/Whonix?query=apparmor-profile-)