So your "read all the KBs and choose" strategy would have prevented this, really? You would have read that KB2949927 adds SHA-2 cryptographic support and said "No, we don't want that one. We'd rather stick with deprecated SHA-1"?
Do you actually deploy every update to a VM to test it? Would your testing have caught this issue (which apparently only affected people who'd explicitly disabled the bitlocker service)?
You could also just wait a week for anything noncritical to allow others to flush out any issues, which is a more time-efficient strategy than manually reviewing gobs of KB articles.
For most people, disabling auto-update is a horrible strategy. If you have a central team actively managing updates with WSUS, you can get away with this. For the vast majority of people, turning off auto-update just means they stop installing updates at all, which is the reason auto-update is the default.