Questions on patching #AWS AMIs

I understand how an AMI is “everything needed” to restart my work environment from where I left off… and it includes the complete operating system. But don’t operating systems need patches? So how often do I need to patch my OS? And how do I do that? And doesn’t that kind of go against the idea that the cloud is “no maintenance”?