I’ve heard this advice before… but for web servers I think this philosophy can create a very false sense of security for an admin.
Anybody in this group https://security.stackexchange.com/ would laugh if you -only-depended on the OS and CMS updates for all of your security needs.
While keeping the OS and CMS up to date is a basic rule that everyone should practice, in relation to securing a web server against potential attack it seems very much incomplete.
IMHO, I believe web servers are analogous to museums. In any country you have “National Museums” and “Local Museums”, which in web terminology could be thought of as “Bare Metal Servers” and “Virtual Private Servers”.
The bigger more, invested the museum, the bigger, more invested the security.
You would very rarely in the real world find a museum that only relies on common deadbolt locks on the doors and closing/locking the windows for their only security, which is analogous to only updating your OS & CMS on a webserver.
Inside of museums you have priceless works of art that required artists to spend hours, days, months, even years to create & eventually gather admiring looks, or rather “user views” & museum concessions sales/donation revenues .
On web servers you have web projects that required developers (artists) to invest significant periods of time to create & maintain. And their “user views” and “sensitive user data” (revenues) merit at least some security consideration beyond just “locking the door & closing the windows.”
For “noobs” just entering the webhosting arena, I think there is no better tool for learning how to secure your system than Lynis.
From this single tool, I learned about sysstat, psacct, auditd, sysdig, closing unused ports, kernel hardening, PAM hardening, removing unnecessary information from banners, and removing unused/outdated network protocols, which more often than not contain security vulnerabilities, that knowledgeable hackers can readily exploit.
Simply updating the OS is insufficient when the OS itself includes exploitable security holes.
As a developer entering the vps webhosting arena, Virtualmin/Wmin/Usermin is by far the sane choice of control panel for usability, documentation, & built-in security features.
However, I wouldn’t consider myself even an intermediate level sysadmin until I can fully harden the OS against attack, (Lynis score of 90, perfect is impossible), properly apply all of the free and readily available security tools such as fail2ban, modsecurity, maldet, etc, readily protect system services with a security framework such as AppArmor, Selinux, etc. maintain an offsite daily backup regimen, easily/readily determine if rkhunter, chkrootkit, & maldet hits are “false positives” or “real hits”, and get my disaster & recovery time to under 12 hours.
Consider server hardening from the financial viewpoint. Sure, you can use Virtualmin to get your webserver up, running, and ready for webhosting in X days. But why not invest X additional days to learn how to properly secure it? Because -after- your system is hacked by a high school kid, who did it for fun & practice or even worst, a pro hacker using a ransomware… its too late.
If you choose to only “lock the door & close the windows” on a system containing works of art, often worth more than system itself, it will cost you a lot more money & time hiring a higher level sysadmin to help clean & restore your system in the long-run.
In a nutshell, if you are going to do something… do it right.