It depends what you mean by "update ASM." New release? Update attack signatures database? Deploy a new policy? Something else? I would think that most gents (and ladies) will agree that it is an industry best practice to perform any updates in a manner that minimizes the impact and visibility to your business (customers) and maximizes the opportunity for confirming success before committing the changes permanently. Obviously, this is more critical for changes that are complex with wide ranging business impact, as compared with changes that are relatively simple (and well-understood) with minimal business impact. It is really your choice how much risk of business disruption you are willing to accept as compared to the business need to make the change. That's just Change Management 101.