First thing, go through everything that's installed and get rid of anything you don't want or need. (If you don't know what it is, leave it alone.) For instance, I ude LibreOffice on some machines and not others. I uninstall everything related on those I don't use it on. I also have a file manager I like, but it doesn't come with preinstalls. Usually when I uninstall the ones that come default, there are a lot of other things that are free to be uninstalled as well ince they're only there to support the thing(s) i get rid of.
If you use Synaptic for all of this, you can look under Installed (autoremovable) after you get rid of things and you will often see other things that you can get rid of. You can also use Installed to just go through the things you have installed instead of the entire list of what's installed and what's available. Both of those are included in the Status section.
Once you have it down to what you really use, accept all updates. Some of them may not be urgent, but you can't always know which are and which aren't. It's safest to go ahead and get them to make sure something with a vulnerabilty isn't hanging around on the system.
Yes, linux gets vulnerabilities, too. Not like that other thing gets. Not as many, usually not as bad, and certainly not as often as that other thing either.
It's best to stay ahead of things. Nothing is perfect. (Especially Windows.)