Having a cooldown is different from never updating. I don’t think waiting a few days is a bad security practice in any environment, node or otherwise.

People who live on the edge of updates always risk vulnerabilities and incompatibility issues. It’s not about node, but anything software related.