Updates Best Practices

What are the best practices for handling WordPress Core, Plugin, and Theme updates that (a) maximize security, (b) minimize manual admin tasks, and (c) minimize risk of breaking things on the site that could be time consuming to fix?

It would seem that going too far with one objective can compromise the other such as updating themes or certain plugins automatically could save manual admin time but at the risk of breaking things.

Ideally I would think a system that automatically made a snapshot of the site, similar to a Windows System Restore point, before installing an update would be beneficial. In addition an automatic notification an update has been applied. This way you could possible automatically update everything, when the admin gets the email he can check the site is okay, if it’s not, he could use a ‘rollback’ option to revert back to the config prior to the update that caused the issue. Is this not possible or would there be a better way to handle updates?