Doing that sounds simple. When you have many balls in the air, though, it's easy to drop one. You want to verify that updates won't break your site. Ideally, you should test them before going live. Updates sometimes have compatibility issues or change functionality in unwanted ways. If advance testing isn't possible, you at least want to update the plugins during low-traffic times, watch for problems, and be ready to roll them back if necessary. This gets complicated, especially if you maintain multiple sites.
Sometimes the bad guys discover vulnerabilities and exploit them before there is a fix. There was a period when the Shopify plugin problem was publicly known but a patch wasn't available. Some vulnerabilities require great ingenuity and patience to discover. This one was blatant and easy to exploit.
Even the best-maintained sites have windows of vulnerability. Fixing known risks is important, but it isn't a complete approach to website protection. Some threats will get through, and scanning for anomalous behavior on a site is necessary to catch and remove the problem quickly.
Keeping malicious packets from reaching the site will stop many threats from getting through, even if the latest patches aren't in place. A web application firewall (WAF) monitors incoming traffic and looks for hostile patterns. The key is to force the attacker to face multiple defenses, at least one of which will be enough to stop it from doing harm.
Quttera WAF guards your website against hostile traffic, such as the kind that exploits the WP Shopify XSS vulnerability. It uses a constantly updated set of rules to analyze incoming requests before they reach your applications. You can configure the rules and set up whitelists to fit your website protection needs. The WAF is part of Quttera's
ThreatSign package, which provides comprehensive protection for websites at a reasonable cost.