As someone who was learning drupal I was wondering this. My test site came up with a friendly notice to "upgrade core". I figured I should since it seemed like a good exercise.
But trying to figure out how was not intuitive. The drupal web site was mum on the issue (you figured they post something on the site telling people to upgrade asap)
I figured it out eventually. Was disappointed how it was handled.
I recommend also subscribing to the Debian security mailing list[1], even if you're not a Debian user--they are on top of security issues that involve software in their repo (and that's a lot of software) within minutes of the advisories.
In fact, that's how I learned about most of the Drupal's core security issues (got a message in my inbox) and was able to patch them up really quickly.
It's best to follow the security announcement list. Such announcements are also posted to https://drupal.org/security and the release notes (click through from the upgrade warning).
But trying to figure out how was not intuitive. The drupal web site was mum on the issue (you figured they post something on the site telling people to upgrade asap)
I figured it out eventually. Was disappointed how it was handled.