MacOS command-line security updates: equivalent for apt-get update all

Yes, security updates show up as recommended updates but softwareupdate -r at least on Mojave is invalid. Note softwareupdate will not install updates for things from the App Store.

If you run softwareupdate -l on a system that is due security updates you can see them prefixed with a * character in the --list output which means they are recommended and will be processed by the -r option.

This is from a system untouched for a month - as you can see there is a recommended Safari update and a recommended Security update that requires a restart.

Last login: Mon Dec  2 19:21:08 on ttys000
A1398% softwareupdate -l
Software Update Tool

Finding available software
Software Update found the following new or updated software:
   * Security Update -10.14.6
    Security Update  (10.14.6), 1531842K [recommended] [restart]
   * Safari13.0.4MojaveAuto-13.0.4
    Safari (13.0.4), 67332K [recommended]
A1398% 

You may either list all available updates with -l (which is closest to sudo apt-get update in that it doesn't download or install packages), download with -d or download and install them with -i. The -r switch on its own is not accepted.

• To download and install recommended updates use softwareupdate -i -r. From man softwareupdate :

 -i | --install
             Each update specified by args is downloaded and installed.  args can be one of the
             following:

            -r | --recommended
                         All updates that are recommended for your system. These are prefixed
                         with a * character in the --list output.

A1398% softwareupdate -i -r
Software Update Tool

Finding available software

Downloaded Security Update
Downloaded Safari
Installing Security Update , Safari
Done with Safari
Done.

You have installed one or more updates that requires that you restart your computer.
Please restart immediately.
To automate the restart process with softwareupdate(8), use --restart.
A1398%

In this case the security update required a restart and this was advised. The -R (capital) or --restart option can automate this but you would want to check user session status before forcing a restart and potentially losing session state/unsaved changes/etc. Passing --restart requires root privilege so the command in this case would be sudo softwareupdate -irR

• Optionally you can download and not install recommended software using softwareupdate -d -r

 -d | --download
             Each update specified by args is downloaded but not installed. The values of args
             are the same as for the --install command.

A1398% softwareupdate -d -r
Software Update Tool

Finding available software

Downloaded Security Update
Downloaded Safari
Done.
A1398%

If you wanted all instead of recommended you would replace -r with -a.

             -a | --all  All updates that are applicable to your system, including those non-
                         recommended ones, which are prefixed with a - character in the --list
                         output. (Non-recommended updates are uncommon in any case.)

Note that sudo on Mojave is required only for the --restart option but this rather old man page indicates that it was also required for installation in the past.

-i
--install
   Each update specified by args is downloaded, unarchived, and
   installed.  This command requires root.