Keeping the system up to date is mandatory for security holes to be fixed ASAP. So it’s best to use the repos to upgrade not only the system but also applications & databases, being YUM or APT. Everything can be dealt with easier this way.
Also you should receive a notification by email when ever an update is available.
No need for a change management interface like old-school HP OpenView. Just setup your system to monitor changes and report daily with a crontab output sent by email. This is enabled by default on BSD systems (which also provide a security-specific daily report).