In Handbook and 2005.0 Handbook I find some commitment about limitations of --update without --deep, but I think there should be a warning, what says that if you do --update without --deep, than some security fixes won't be installed. If a depends on b and b depends on c. You install a will install b and c also, but if some security issues appear about c, than c won't be updated.
Very true. I've added a paragraph on this. Thanks for reporting!