Rebuilding world updates the FreeBSD system only. Software installed from ports isn't updated when you rebuild world. In the same way portupgrade doesn't update the system, only software installed from ports. You should update both FreeBSD and software installed from ports to keep your system uptodate.
Remember the BSDs make a much clearer distinction between the OS and application software, whereas Linux muddies the boundary between the two. So you need to use both methods to keep your entire system uptodate
My preferred way, because I'm lazy, is to wait until portaudit tells me a security problem has been found and addressed for a particular port, I then read /usr/ports/UPDATING just in case, then I manually update the port by
cd /usr/ports/foo/bar && make all deinstall reinstall clean
Similarly when I get an email from the freebsd-security mailing list I follow the instructions described in the "How to Fix" section