It turns out that apt-get (or libapt, more specifically) has a mechanism to automatically download and install security updates. This will work across package management applications (apt-get, synaptic, aptitude, etc) and is very simple to setup. Edit /etc/apt/apt.conf.d/10periodic to include the following:
Your distribution should already have a cron job (usually in /etc/cron.daily/apt) that runs every day and updates as per these configuration options. To see the entire config, run
$ apt-config dump
For those interested, this configuration setting is what Synaptic sets when using its "Install security updates without confirmation" option.
Thanks to g for pointing this out.