Follow
For daemons and apps regular apt/yum update will work, of course until the next reboot when you need to reinstall all updates.
For kernel the only option is livepatch.
In practice I suspect the answer is however: you don't. "We're defaced? Oh we just reboot and we're no longer defaced!"
And granted that any possible instability may be usually only by updates, I don't think it's a viable solution at all.