The question is:
Am I supposed/ should I upgrade when a new source tree becomes stable?
From a security point of view, you're supposed to upgrade the kernel as
soon as a release is made upstream. When a security fix is made
upstream, the vulnerability in question has been disclosed and any
machines not updated to that version are considered vulnerable.
This means that the package will probably be in ~arch in portage and not
marked stable until it's tested for 30 days or more. So "unstable" (in
portage terms) kernels are more secure then stable ones simply because
they're the latest available.