I would say it greatly depends on the environment. Then good mix between best practices, complexity, and fit for the task. Sometime ago I switched to using git/ansible and "esxcli" updates. Enabling SSH in a production environment can be questionable, so locking that down at every level is needed. However that just adds to the complexity. Personally I have found that the Update Manager windows software solution ends up adding a lot more complexity, and hinders your nimbleness when fully deployed. Granted you loose the ease of knowing when VMware puts out patches/updates for ESXi.
To solve this I rolled my own little API to check for new versions, then update the repo. Then curl simply enough does a little exchange with "downloads.vmware.com", and pulls the latest archive. Finally commits the current build numbers on the hosts to the repo. At which point and Ansible script takes over, or gets crond. Long process short checking latest build numbers, and remediation info is available in a GIT repo. Maintenance windows are key here, also making note of variables which add steps to "entermaintance mode", and being VSAN aware (auto rolling updates). Obviously you can run updates manually by invoking proper Ansible commands. This model has served me rather well so far even in production, especially so as you aren't locked into the complexity. Drivers on the other hand is a whole other topic.
In production always stay within your skill set, as the complexity should match your undeniable comfort zone. If not things could possible become counterproductive. Deep diving into the two current methods of "esxcli" and "Update Manage" is in all honesty the best place to start.
Typically I roll out updates according to maintenance times/load, and especially having been fully functional in a work-load simulated lab/dev cluster. I have found ESXi updates fix way more problems then they create, and detecting anomalies on a production system after an update, auto vmotioning it to another host, is well within the vSphere Operations capabilities. Funny enough its somewhat akin to jumping down a rabbit hole, and deciding when you have gone far enough.
In a patching plan you should always roll out the security patch when VMware Release. But for the Bug fixes or regular patch you should planned according to the need base.