using pkgs vs using a cms

From: tech-lists <>
Date: Wed, 23 Mar 2022 23:10:31 UTC

What's the advantage in updating a port over using its 
own ecosystem?

examples: www/nextcloud and www/drupal9

These are popular programs which, because they are popular, present
a vulnerability vector from a security standpoint if they're not kept
up-to-date, and also if their dependencies aren't kept up-to-date.

Isn't it better for these to use their own ecosystem to keep up-to-date?

Drupal releases updates seemingly every month. Right now,
ports is at 9.3.7 yet the latest is 9.3.9. 9.3.7 has two current CVEs
for -core, according to their website.

I have used the ports system to for example install nextcloud,
getting it all working then moving its dir from www/nextcloud to 
www/nextcloud1, purging it from ports then moving it back.

Do others install then use drupal in the same fashion?