You have to run your own install script. It is more involved than deploying other things. I usually run a script to prepare the server first (for a generic secure setup, including LAMP) and then run the WP installing script (which is mostly Python working through sftp). It has taken a bit of time to figure this one out, because the generic secure setup requires constant upkeep. Its not something that you set and forget.
aptitude update sure is part of maintaining things up to date. One cannot rely on it exclusively due to how those updates sometimes require other changes. Plus it doesn't cover all packages. Using docker just adds another layer of complexity and possible vector of attack. For standalone wordpress installs docker is not required. Wordpress security is more of a continuous process rather than a set and forget thing due to how it's a constant target.
