I've never encountered a bug in any of the web apps that I developed where a kernel update solved it. I know there's other reasons to update such as addressing security vulnerabilities, but I've also never encountered or personally heard of someone having their system compromised by a kernel vulnerability.
Of course that doesn't mean it can't happen, but for single server deploys I do value things like uptime. Rebooting is at least a 30-90 second downtime event by the time the box comes back up and your services start up again. There's also a risk that something might not play nice with the update and now you're stuck with potential downtime while under pressure until you revert the change. Hopefully that wouldn't happen with a security patch level update but it's a risk at the end of the day.
Basically for the workloads I run I'm confident enough in having user land system packages updated automatically and rebuilding Docker images to have the most up to date security patches which is where my apps are running anyways.
For bigger updates (distro versions, kernel updates, etc.) I'm more in favor of spinning up a new server, re-deploying everything there, switching DNS over to it and shutting down the old server. In my opinion it's more safe since your original server is never modified and your site is always up.
