How quickly should I action the update announcements on the CentOS mailing lists?

It's silly to take a specific action on every update announcement that comes through.

As the administrator, you exercise your judgment and knowledge of the specifics of your environment to make a determination of what's important to update.

For example, if Apache and OpenSSH are updated and you have those services open to the public, then it makes sense to keep them up-to-date. But in many environments, those service are not available to the world, so the urgency to update is far lower.

How about the kernel? There's a kernel release every month or two. Updating it is intrusive and causes downtime. But sometimes it makes sense.

I've encountered many web environments where critical packages are never updated; as in years of no updates. That's clearly wrong, but so is updating daily or weekly.

I personally like to evaluate monthly or quarterly. Reported exploits take awhile before they come into common use by attackers.