The DockerHub is a great resource for discovering and distributing Dockerfiles. Many users sharing public images take advantage of the Docker Hub’s Automated Build configuration, which is excellent as this automatically allows the Hub to display the Dockerfile and provides some medium of security above simply downloading and running some untrusted binary black box.
Unfortunately, far fewer users configure Repository Links to trigger builds to update even when the resulting Dockerfile is unchanged. As a result, many excellent Docker containers that are not under active development have not been rebuilt in several months, meaning that they still contain widely known dangerous security flaws such as Shellshock (September 2014).
This problem is easily avoided by configuring the Repository Links setting to point to the repository being used as a base image in FROM. The official base images such as debian and ubuntu (e.g. the images with no additional namespace) are regularly updated to patch security vulnerabilities as soon as they are discovered, resulting in updates being made every few days on average. Setting the repository link to the FROM source allows your repository to be rebuilt as soon as its base image has been updated, ensuring that you inherit those updates.
Naturally this strategy does not help if your FROM image isn’t an official base image and hasn’t configured Repository Links (or if such a break in the chain appears anywhere along the FROM recursion). In such cases, having a RUN apt-get update && apt-get upgrade -y command (or equivalent option for your distribution) might be a good idea to make sure that your image at least gets the latest updates, but you’ll still need to set up some automatic or manual Build Triggers to ensure this is run regularly; or better yet, just avoid building on or using stale images.
If you do have a reliable Repository Links chain to an official image, then apt-get upgrade is not necessary (and in fact is not advised in Best Practices). Instead, make sure all images in the chain call apt-get update in the same RUN line as apt-get install -y ..., which will ensure that cache is broken and the latest versions of the packages are installed. See the official Dockerfile Best Practices for more information.
NB: I’m not a security professional; this just looks like common sense usage