I am new to Magento and I'm working on a demo store. I've only applied security updates by updating the Magento version when it comes out. When I start installing extensions, I wanted to make sure that if I were to run a security patch via SSH that it would not change the Magento version.
While ideally you should, it's not always possible as upgrades also incorporate all kind of other stuff. It's especially hard when you need to upgrade from ancient versions (such as CE 1.6). Enter patches -- quick hot-fixes that address just a bug and nothing else. Patches can also be applied to older versions and they're relatively safe.
So apply patches as soon as they're released, but also consider upgrading.