Like you said elsewhere Jeff, the base OS can be managed with automatic updates, and daily updates is a reasonable default schedule. There's not a lot of systems where I'd be comfortable with a 6 month time frame for updates. The past year's OpenSSL exploits come to mind, and https://www.drupal.org/PSA-2014-003
While it's not perfect, it seems like it might be a good idea to run automatic updates for the container as well as the host. Updates that aren't stored in a docker volume would be lost on the next container restart, but would at least be replaced some time over the next day, and if the container restart is a rebuild, then the updates would presumably get applied more permanently in that process anyway.
Since the unattended-upgrades package comes as standard on Ubuntu, and that's what the container runs, the package is already there in the container. I can presumably set up a cron job outside the container to run it via docker exec.