For me, the normal thing is to build from source with BUILD-NetBSD and do an overlay install with INSTALL-NetBSD from pkgsrc/sysutils/etcmanage, following netbsd-6 (or -5 or -7). Once you get etcmanage set up, this is nearly trivial, and updates lots of fixes, not just security patches. Note that the above is basically "prepare binary update" and "install binary update". But, I agree that it would be nice to have a binary auto-update mechanism supported.
Attachment:
pgpHSi3OIbQ_l.pgp
Description: PGP signature