aptitude update sure is part of maintaining things up to date. One cannot rely on it exclusively due to how those updates sometimes require other changes. Plus it doesn't cover all packages. Using docker just adds another layer of complexity and possible vector of attack. For standalone wordpress installs docker is not required. Wordpress security is more of a continuous process rather than a set and forget thing due to how it's a constant target.