Packages seem like a very convoluted way to achieve something like setting a host name or configuring the DNS server a system uses or the packages that are installed or which virtual hosts a web server serves and which certificates it uses to do so.

If you don’t update your Docker images for two years or more you are going to have even more security holes than if you had it all on the host system and didn’t update that.

Not sure why you would use it for a single server with a single admin you only install once but for multiple admins and many servers it provides repeatable results that are the same no matter who does it and it also allows you to add small settings that you would never do by hand every time you install a new machine. There is nothing worse than discovering that your dev system and your production system differ in a minor way that makes a test succeed on dev but fail on production because of something someone installed or configured manually. Well, apart from discovering that same thing happened with your 5 year old production server you are trying to reinstall after it broke.