> How do you update the software in the containers when new versions come out or vulnerabilities are actively being exploited?

You build new image with updated/patched versions of packages and then replace your vulnerable container with a new one, created from new image