One of the more painful types of security updates is kernel patches. In a traditional infrastructure, they are risky because you must reboot each server and hope that the server comes back online. This can fail for any number of reasons. You can have a configuration problem that went unnoticed until you attempted the upgrade, you can also find latent hardware problems that you did not know were there. With immutable infrastructure, you build new server images with the kernel patch already applied and then push that through your normal release pipeline. It is safer, it is faster, and it does not require the manual tending (or painful scripting) of your servers as they reboot.
About the data layer, the immutable style wouldn't give you the same convenient as application layer does.
Share this highlighthttp://www.safaribooksonline.com/a/seeking-sre/13248079/