I think there is no a out-of-the-box solution.
You can run security updates manually, but it’s too much to do.
Try to host apt mirrors in different stages, with unattended-updates tuned on.
Devel will have the latest.
Staging the latest positively tested on the devel.
Production the latest positively tested on the staging.