Have been self-hosting GitLab for my org a few years by now, with quite a few users (>800 atm). Updates are automatic via the GitLab Omnibus package repos. Once or twice per year some update requires intervention. Otherwise, nothing bad happens. Very happy so far.
Biggest problem at the moment is that AI scrapers (curse them and their owners, pox be upon their houses!) sometimes bring things to a crawl. But nothing that a few firewall rules and anoubis won't solve.
If you are running an org you should be putting all your private services behind netbird or tailscale at minimum. Zero public infra exposure beyond them.