According to the wiki (https://openwrt.org/docs/guide-user/security/openwrt_security), updating individual packages inside the build is not a good idea.
Stable build is good for me. As I checked the stable releases, approx. 1-2 comes out per year.
My questions:
Is it safe to use the stable release without any update, and just update it with another stable one? If not, could you pls advise, how do you keep a stable release secure and patched (considering the wiki guide) on your device? Are there any best practices?
What is the method of updating a stable release from version X to version Y? Just download the sysupgrade package and update it, or stable releases should be handled a different way?
The frequency is variable, depending on the needs. Critical vulnerability patches and major bug resolutions will often be a forcing function for a service release. With CVEs, these can come up at any time (although many won't be relevant or severe). Failing those, the updates will come out based on when minor fixes, new device support, and other incremental changes reaches a reasonable critical mass of PRs.
Yes, in general. If there are specific package upgrades required for an interim CVE fix, you'll see it in the announcements section.
There are several ways, but typically using the standard sysupgrade process. More recently, there are tools to include all your installed packages as well -- Attended Sysupgrade (ASU) and OpenWrt Upgrade Tool (OWUT) are great!