Curious as to how the bigger providers are doing this, bar logging in manually and doing the apt-get update shenanigans. Windows has wsus and other tools, but what do you use on your server estates?
Along with Foreman Katello if you want the capability to 'freeze' repos so you can update your servers one at a time, or in batches while ensuring they are all on the same patch level.
We run automatic backups from a central control server using ansible, below link might be of help.
saltstack / puppet / chef / cfengine / cockpit / spacewalk are all likely options