I really liked the way Gentoo do the things.
First of all Gentoo package versions are usually kept at Long term support version,
Then there is a slot system, which deals with version compatibility between different dependencies,
Thus system remains stable as well as quite up to date without having always latest version of everything.
Also Gentoo release Security advisories, that may be used to see which package suffers from security flaw, hence I can only update package when it is necessary for security fix. Also e.g.
Recently, after syncing emerge, a message I got about security vulnerability in vlc media player which I have installed, it says that vlc version have been masked and I should update it. I liked this informative feature of Gentoo portage.
Does Gentoo always mask security vulnerable packages like this?
I also liked the way its USE flags work, so I can select what features I want to compile, although no performance gain was seen by such kind of native compilation.