These notes are almost certainly wrong, you’ve been warned.

First off you need to decide what version of FreeBSD your running. When I last did this I decided that 6.2 was the safe choice. 6.3 had a few release cantidates, but wasn’t actually released.

6.2 is a pain to install because after you install it you need to upgrade the X11 support and that involves hand work to get over a major transition in the X11 system. This is documented in the ports upgrading file. You’ll want to do that before you start installing too many ports that depend upon X11.  (Oddly I also must set ForwardX11Trusted).
Next up is the problem of getting the security patches installed, and that effects all the OS, the core utilities, and the ports; making for another reason to temper your enthusiasm for installing ports early. This step is eternal, particularly if the machine will be exposed on the open internet; and really one way and another – what isn’t?
There are tools to help, but they are in various states of current. In fact there are two many tools and something of a lack of guidance about which ones to use in which situations.

Freebsd-update is a help for the kernel. It’s a port, so you’ll need to install it. Then you need to wire it up so that it polls from crontab regularly for security patchs.

Portsnap, portupgrade and portinstall are a good. You may wish to wire portsnap into crontab so your informed of the freshest ports. (There seems to be something odd with my portupgrade, I have two /usr/ports/{ports-mgmt,sysutils}/portupgrade. I think happened early on as part of running portsnap. I believe I had to slam the one from ports-mgmt in over the one I’d installed earlier. Note that this happens in the middle of getting X11 upgraded.)
Portaudit, another port, needs to be installed so your informed when your ports have security issues.

Then you have to apply the patches freebsd-update is telling you about by hand, and you have to make thoughtful choices about how closely you track the latest and greatest ports. Of course upgrading to fix the problems portaudit points out can cascade into other ports.

All that that is hand work, which you have to do regularly; and you have to read your email from root. It’s a particular pain that portupgrade will occasionally decide it wants to interact with you personally to configure a package; when that happens it will want you to be on a traditional terminal.

I suspect that the approach outlined here doesn’t upgrade the core utilities should they have security issues uncovered. Similarly freebsd-upgrade is useless if you’ve compiled a custom kernel. I was pleased that I didn’t need to do that this time.

I suspect that I haven’t managed to fall into a “best practice” pattern with all this yet. It appears that there is a lot of variation seen through out the FreeBSD community for how to do this. The various tutorials and handbooks are interesting. Some are out of date. Most are confusing because they are full of too many choices! Some are confusing because the new better way hasn’t quite settle down and attracted a wide following, sometimes there appears to be more than one generation of new better way in that state.

Advice is welcome :).