It is much easier and faster to just install the new version from scratch.
As for security updates...
If you want to keep the standard base system and GENERIC kernel, you can use
freebsd-update(8) for doing binary updates.
It is as simple as a
# freebsd-update fetch
# freebsd-update install
every time there is a new patch. You can also automate the updates checking using cron (check the
TIPS in the man page). Note that it will
not do the update automatically. It will only notify you.
If you want to
build a custom kernel, you will have to update the source (
csup(1)), fetch/apply the patches and build the appropriate parts yourself.
Note that you can still use freebsd-update for the update itself, but you will (obviously) have to rebuild everything too since freebsd-update will only modify the "standard" parts.
Keep an eye on the
SECURITY ADVISORIES on the
main page (bottom-right corner). Every advisory contains all the instructions you must follow to apply the patch.
Finally, there is the
handbook. Keep it handy. And read the part about
upgrading/updating.
Of course, keeping the system up to date is one thing, but it will not be enough if your applications are bug-ridden. So, always
keep your applications up to date too.