Regarding OS updates, once you've spun up an AWS Lightsail instance you fully control it, including software updates. There is no difference between an EC2 instance and Lightsail in this aspect. For another kind of instances, AWS provides AWS Systems Manager Patch Manager a tool that automates the process of patching managed instances with security-related updates, but I don't know if you can configure Lightsail to use it. I recommend you move this question to the AWS forum to obtain a proper answer.
Regarding the application itself, Bitnami continuously monitors and updates every application (WordPress) in our catalog including its components and dependencies (Apache, MySQL, PHP, etc) to ensure our applications and development stacks are always up-to-date and secure.
I hope this information is useful for you. If you have any other question, please do not hesitate to let us know.
Carlos R. Hernández